[aprssig] APRS IS streams and MySQL

Scott Miller scott at opentrac.org
Sun Sep 13 00:26:15 EDT 2009


Dang, you beat me to it!  I think things are (hopefully) a little better 
these days, but it used to be you could break all sorts of stuff just by 
putting an apostrophe in a web form... and if the DB server gave you a 
nice error message, it made exploiting it that much easier.

This and the buffer overflows we were talking about earlier should be in 
the top 5 for security problems programmers should know to watch for.

Scott
N1VG

Jon Kåre Hellan wrote:
> Andrew Rich (Home) wrote:
>> Sorry you lost me
>>
>> "given input from an outside source" where else does it come from ?
> 
> See e.g. http://xkcd.com/327/
> 
> Jon LA4RT
> 
>> ----------------------------------------------------------
>> Andrew Rich
>> Airways Technical Officer Grade 4
>> Surveillance - RADAR ADS-B
>> Amateur Radio Callsign VK4TEC
>> email: vk4tec at tech-software.net
>> web: www.tech-software.net
>> ----- Original Message ----- From: "Jordan Hayes KG6UAE" 
>> <kg6uae at arrl.net>
>> To: "TAPR APRS Mailing List" <aprssig at tapr.org>
>> Sent: Sunday, September 13, 2009 2:06 AM
>> Subject: Re: [aprssig] APRS IS streams and MySQL
>>
>>
>>>> the APRS stream contains characters that MySQL or
>>>> QUERY forming applications may not like.
>>>>
>>>> Just wondering how the big guns handle these ?
>>>
>>> You should never generate SQL text in your applications given input from
>>> an outside source; you should always use PreparedStatement and the like.
>>>
>>> /jordan
>>>
>>>
>>> _______________________________________________
>>> aprssig mailing list
>>> aprssig at tapr.org
>>> https://www.tapr.org/cgi-bin/mailman/listinfo/aprssig
>>
>>
>> -------------------------------------------------------------------------------- 
>>
>>
>>
>>
>> No virus found in this incoming message.
>> Checked by AVG - www.avg.com
>> Version: 8.5.409 / Virus Database: 270.13.92/2364 - Release Date: 
>> 09/11/09 17:51:00
>>
>>
>> _______________________________________________
>> aprssig mailing list
>> aprssig at tapr.org
>> https://www.tapr.org/cgi-bin/mailman/listinfo/aprssig
> 
> 
> _______________________________________________
> aprssig mailing list
> aprssig at tapr.org
> https://www.tapr.org/cgi-bin/mailman/listinfo/aprssig
> 
> 





More information about the aprssig mailing list