[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[Ampache updated] packages that use deprecated SQL escape functions

On Thu, 2009-10-15 at 13:26 +1100, Steffen Joeris wrote:
> Hi everyone
> We had a few issues in the past with insufficient database escaping, which lead 
> to possible SQL injections due to the use of the deprecated functions 
> mysql_escape_string() and PQescapeString().
> These functions do not take the encoding of the established connection into 
> account, which can lead to insufficient escaping, if the encoding of this 
> connection can be set to certain multibyte character encodings (such as GBK).
> I found the explanation given in this email[0] quite useful to elaborate on 
> the thread.
> In order to prevent this issue, the new functions mysql_real_escape_string()
> [1] and PQescapeStringConn()[2] have been added, which honour the specific 
> encoding of the connection.
> ampache: Charlie Smotherman <cjsmo@cableone.net>                                                                                   
>  ./ampache-3.5.1/modules/getid3/extension.cache.mysql.php:            $filenam2 
> = mysql_escape_string($filename);                  
>  ./ampache-3.5.1/modules/getid3/extension.cache.mysql.php:            $res2 = 
> mysql_escape_string(serialize($result));             

Thanks for the mail.  I have patched ampache to use
mysql_real_escape_string().  I would appreciate it if someone would
sponsor this fix.


Thank you 
Charlie Smotherman

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: