<![CDATA[Tracmor Forum - Custom Field: SQL Injection]]> http://www.tracmor.com/forum/topic/164/custom-field-sql-injection/ Thu, 23 Jul 2009 18:36:05 +0000 PunBB <![CDATA[Re: Custom Field: SQL Injection]]> http://www.tracmor.com/forum/post/507/#p507 Thanks for reporting this.  We are looking into it now.

]]> Thu, 23 Jul 2009 18:36:05 +0000 http://www.tracmor.com/forum/post/507/#p507 <![CDATA[Custom Field: SQL Injection]]> http://www.tracmor.com/forum/post/504/#p504 1) Create new custom text area field "sqlinject", tied to asset, enabled
2) ensure magic_quotes_gpc is turned off per http://www.tracmor.com/forum/topic/119/ … es-needed/ (restart if needed)
3) add new asset, use as input for sqlinject custom field {I'd not type something like; drop table assets ; in this field} (sans curlies)
4) note error
5) rejoice

... unless I was updating said field.

tracmor 0.2.0; ubuntu intrepid/ standard apache2/php w/ php mem increased + magic_quotes_gpc off

]]> Thu, 23 Jul 2009 04:03:30 +0000 http://www.tracmor.com/forum/post/504/#p504