Quote:
Originally Posted by k0nr4d
preventing sql injection is not rocket science, buddy.
|
Please don't patronize me. I've worked very closely w/ NATS and CARMA since they were in beta.
I have personally tested and proved SQL injections against NATS and CARMA [and dutifully reported them]. I have looked at the source of both, and literally just took a scroll through it again. There are exploitable areas. I haven't seen a mysql_real_escape_string anywhere in the code I saw, and 6 months ago, there were definite issues. HTML_special_chars / [and god forbid] addslashes and the ilk are not sql protection.
Check out -
http://www.gofuckyourself.com/showpo...&postcount=218
I know programmers love to piss on each other, but the fact of the matter is that basically ANY script online is susceptible to attack, whether it be by the script itself, or the frameworks that support it.