It does not seems to be a SQL injection vulnerability. In fact, it just looks like a wrong replacement, but it's confined into the 'string'. Actually the real problem is that this error, when debug mode is active, make anyone discover the $prefix value, that should be kept secret in case of blind sql injections... Gacomo -- # @@@ # (0 0) =================ooO=(_)=Ooo======================================= # Nome: Giacomo Rizzo [ aka: alt-os ] - http://www.free-os.it # OS: Gnu (Slackware 10.0/Linux 2.6.7) # -- # Coordinatore HANC (http://www.hancproject.org) # Coordinatore POuL (http://www.poul.org) # -- # Linux Registered User: #331781, Linux Registered Machine: #216123 ===================================================================
Attachment:
signature.asc
Description: This is a digitally signed message part