05-24-2006, 09:37 AM
PostgreSQL issues security updates to fix SQL injection vulnerabilities in versions 8.1, 8.0, 7.4, and 7.3
full article: http://www.newsforge.com/article.pl?sid=...23/2141246
Quote:The PostgreSQL project released updated versions of the PostgreSQL 8.1, 8.0, 7.4, and 7.3 series today to address a SQL injection vulnerability...
The vulnerability affects PostgreSQL servers exposed to untrusted input, such as input coming from Web forms, in conjunction with multi-byte encodings like Shift-JIS (SJIS), 8-bit Unicode Transformation Format (UTF-8), 16-bit Unicode Transformation Format (UTF-16), and BIG5.
In particular, Berkus says that applications using "ad-hoc methods to 'escape' strings going into the database, such as regexes, or PHP3's addslashes() and magic_quotes" are particularly unsafe. "Since these bypass database-specific code for safe handling of strings, many such applications will need to be re-written to become secure." He also notes that the addslashes function was deprecated in PHP 4.0 due to security risks, but a "distressing" number of PHP applications continue to use the function...
full article: http://www.newsforge.com/article.pl?sid=...23/2141246