[Koha-devel] Re: XSS Vulnerabilities in Koha
MJ Ray
mjr at phonecoop.coop
Fri Aug 31 12:14:26 CEST 2007
Chris Cormack <crc at liblime.com> wrote:
> On 30/08/2007, at 9:47 PM, Rick Welykochy wrote:
> > Which brings to mind another audit: one for SQL injection attacks. I
> > haven't had a close at the code, but a grep of "->quote(" turns up 102
> > uses in Koha/2.2.9, which leaves one feeling somewhat confident that
> > the problem has been addressed at one stage.
> >
> Yep, if quote isn't used place holders (?) are, which achieves the
> same thing.
Is this quote-or-placeholder policy enforced on patch submission now?
I did the original clean-up a few years ago, but I've changed a few
other additions since. It's probably worth double-checking at some
point, but there shouldn't be too many possible flaws.
Regards,
--
MJ Ray - see/vidu http://mjr.towers.org.uk/email.html
Experienced webmaster-developers for hire http://www.ttllp.co.uk/
Also: statistician, sysadmin, online shop builder, workers co-op.
Writing on koha, debian, sat TV, Kewstoke http://mjr.towers.org.uk/
More information about the Koha-devel
mailing list