Re: [PHP] ODBC_EXECUTE has a DANGEROUS 'feature'!!!

2002-02-14 Thread
> OK, I checked into this further, and I must apologize: you are correct. > I suspect that most of us didn't remember that this feature even > existed... You don't have to apologize. And indeed... I don't get the idea that many people know about this. Besides you and maybe one or two others I hav

Re: [PHP] ODBC_EXECUTE has a DANGEROUS 'feature'!!!

2002-02-13 Thread Lars Torben Wilson
On Mon, 2002-02-11 at 00:21, * R&zE: wrote: > I understand you try to 'protect' your own product, but you have to > stay a bit realistic about some things. Ofcourse I check the input. > But you know... there's absolutely nothing wrong with allowing > quotes to be stored in the database. It's just

Re: [PHP] ODBC_EXECUTE has a DANGEROUS 'feature'!!!

2002-02-12 Thread val petruchek
ED]> To: "Jerry Verhoef (UGBI)" <[EMAIL PROTECTED]> Cc: "PHP General Mailinglist" <[EMAIL PROTECTED]> Sent: Tuesday, February 12, 2002 12:20 PM Subject: RE: [PHP] ODBC_EXECUTE has a DANGEROUS 'feature'!!! > On Mon, 2002-02-11 at 06:46, Jerry Verhoe

RE: [PHP] ODBC_EXECUTE has a DANGEROUS 'feature'!!!

2002-02-12 Thread Lars Torben Wilson
On Mon, 2002-02-11 at 06:46, Jerry Verhoef (UGBI) wrote: > I think you all are missing the point that *R&zE is making. > > The software you use/create should be bugfree and free from undocumented > features. Otherwise security risks could occur. And ofcourse all other In a perfect world, yes. H

Re: [PHP] ODBC_EXECUTE has a DANGEROUS 'feature'!!!

2002-02-11 Thread
> *Always* validate your data. If you validate your data and never trust > anything which comes from the client side of the connection, your > problem goes away. I mean, you wouldn't pass user data to exec() > or fopen() without some serious checking, would you? ;) > > Sure, PHP could try to pre

Re: [PHP] ODBC_EXECUTE has a DANGEROUS 'feature'!!!

2002-02-08 Thread Lars Torben Wilson
On Fri, 2002-02-08 at 04:43, * R&zE: wrote: > Hi folks, > > I don't know if everyone ever knew this, but I haven't been able to > find anything about this, anywhere... > > odbc_execute has a very dangerous 'feature'. I would like to call it > a bug, because someone has implemented it on purpose

Re: [PHP] ODBC_EXECUTE has a DANGEROUS 'feature'!!!

2002-02-08 Thread
Usually I would agree with you. Like I wrote in my message, I would like to call it a bug, but it was written on purpose. That would make it a feature!?! It's an if-block of app. 20 lines that makes sure this happens. Looks like someone _really_ wanted PHP to do this... > This is what we call a B

RE: [PHP] ODBC_EXECUTE has a DANGEROUS 'feature'!!!

2002-02-08 Thread Jerry Verhoef (UGBI)
This is what we call a BUG Report it on http://bugs.php.net thx > -Original Message- > From: * R&zE: [mailto:[EMAIL PROTECTED]] > Sent: Friday, February 08, 2002 1:44 PM > To: PHP General Mailinglist > Subject: [PHP] ODBC_EXECUTE has a DANGEROUS 'feature'!!! > > > Hi folks, > >