[Care2x-general] Fw: Re: AW: [Care2002-developers] about patients
and personnel in the same table
Walter Nunez
admin en ciberneticamedica.com
Lun Nov 15 15:15:32 CET 2004
Hi,
yes, this sql inject can be dangerous. If somebody detects any part of care2x
that can be compromised, please inform us immediately. Of course, one needs
to describe exactly what one did and how, which part of the program, etc.
Thanks,
Elpidio
On Monday 15 November 2004 02:27, Daniel Ignat wrote:
> Yes, you are right, that was just an example
> so that people may realize the danger.
>
> Look in 'google' about sql inject and you will
> realize that the things can get more complex,
> and not only in queries about 'users' and
> 'passwords', but about patient names or
> clinical hisotry, for example, by people who
> should not have access to that.. the 'injection'
> may occur in a 'multi table' query for example,
> with the password 'well' protected as you stated
> here.. but with another unprotected field which
> takes another user input and appends to the main
> 'protected' query.. People may even save
> locally the html pages, modify them to avoid the
> javascript checking code and use them to query
> your database.. if the server script dosen't check
> thoroughly the user input.. that's why I said about
> php native functions (like addslashes, as Elpidio said)
> or regexp functions (more restrictive so, more secure)
--
Walter Alfonso Núnez Rivera
Médico - Programador
Pascual de Andagoya 140 Lima 32 Perú
Más información sobre la lista de distribución Care2x-general