Re: Bug#652464: ITP: aguilas -- A web-based LDAP user management system
On 17/12/11 16:19, Sune Vuorela wrote:
> On Saturday 17 December 2011 14:48:22 Luis Alejandro Martínez Faneyth wrote:
>> Package: wnpp
>> Severity: wishlist
>> Owner: "Luis Alejandro Martínez Faneyth" <martinez.faneyth@gmail.com>
>>
>> * Package name : aguilas
>> Version : 1.0.0
>> Upstream Author : Luis Alejandro Martínez Faneyth
>> <martinez.faneyth@gmail.com>
>> * URL : http://code.google.com/p/aguilas
>> * License : GPL-3
>> Programming Lang: PHP
>> Description : A web-based LDAP user management system
>>
>> AGUILAS is an application written mostly in PHP, but it has bits of
>> JavaScript, SQL, style sheets and of course, HTML. It is a centralized
>
> I was showing 'aguilas' to some people also looking for web based ldap user
> management systems, and then within not too much time, I got a message back
> saying
>
> "not sure I like the look of that sql query..."
> "sql injection in 5 seconds flat"
>
>
> $sel_q = "SELECT * FROM NewUser"
> . " WHERE mail='" . $mail . "'"
> . " AND uid='" . $uid . "'"
> . " AND token='" . $token . "'"
> . " ORDER BY token DESC LIMIT 0,1";
Thanks for having a look :)
Well, i perform a very strict validation before that query is made.
Lines 20 - 54:
http://code.google.com/p/aguilas/source/browse/NewUserDo.php#20
http://code.google.com/p/aguilas/source/browse/NewUserDo.php#54
You are still scared?
>
> I also got a bit scared by this.
>
> /Sune
--
Sin más que agregar y siempre a la orden,
Luis Alejandro Martínez Faneyth
Ingeniero de Telecomunicaciones
Blog: http://www.huntingbears.com.ve/
Twitter: @LuisAlejandro
GPG Key = E78DAA2E
CODE IS POETRY
Reply to: