Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

As a side note, this is how many SQL injection attacks happen too. You almost never want unfiltered user input to directly interact with your system. A while back, I did an episode on how SQL injection can lead to code execution by using unfiltered user input on a LAMP stack. See it @ http://sysadmincasts.com/episodes/21-anatomy-of-a-sql-inject...


Side side note. This same carelessness is what caused the heart bleed bug.


Well, in a sense maybe, but not on purpose there. The programmer had missed a bounds check.


I think you're giving him too much credit. The input was not sanitized. Now its no one programmers fault. It was a long living bug many had a chance to see it and correct it for a long time. It was rooted in the same carelessness as exec(GET)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: