[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Ruqueue-devel] XSS attacks and SQL injection
From: |
John Fulton |
Subject: |
Re: [Ruqueue-devel] XSS attacks and SQL injection |
Date: |
Fri, 27 Feb 2009 10:38:59 -0500 |
User-agent: |
Thunderbird 2.0.0.19 (X11/20090105) |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
David F. Skoll wrote:
> I heard of ruQueue via a Slashdot article, so I downloaded it. I took
> a quick look at the code and noticed many places where XSS attacks and
> SQL injection can happen.
Hi David,
Yes, it could use a comb through to protect it against SQL injection. At
least the direct use of mysql_query() should have probably been
abstracted into a separate function so that this kind of clean up would
be easier.
> ru-queue-1.2.2.tar.gz is dated 2005, so maybe it's no longer
> maintained?
Could be. I was heavily involved in the project when I worked at Rutgers
but I left years ago and no longer work on it. I have not seen much done
on it since then.
John
- --
John Fulton, Assoc. Director IT Systems, 610-330-5650
Lafayette College, 11 Pardee Dr, Easton PA 18042-1775
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFJqAkTNZmEpbCkXmERAlQDAKCBvcSqjPCCRPIeDWNgNnrpQAkqFgCfWyXf
aK062O6//IUfB1uTPOaFnqw=
=kdhR
-----END PGP SIGNATURE-----