And how many web forms forget to check the presence of a percent sign and are executing SQL searches without cheking it using clauses similar to "WHERE table.field LIKE :parameter" by binding directly the submitted form value to the "parameter" variable placeholder, ignoring the fact that the percent sign in the right operand of a LIKE is parsed specially by the SQL engine ?
Same thing about programs using submitted values directly (or concatenatng them) to create any kind of regular expressions, or to generate a SQL statement (with the security issue of possible SQL injection to retrieve confidential data, by terminating the query statement with a quote, a semicolon, and initiating a seonf statement which could even drop the full database or alter any other tables in that database ?). 2013/3/22 Stephan Stiller <[email protected]>: > >> This one is incredible: >> >> https://bugzilla.redhat.com/show_bug.cgi?id=922433
