20 Jul
2006
20 Jul
'06
10:59 a.m.
biuro@globeinphotos.com wrote:
Digest URI contains "sip:+48580001@test.pl" which is value typed by user. But few lines below sql statement is called but this time Digest URI has incorrect value:
See "sql.conf", "safe_characters". By default, "+" is escaped before being inserted into sql. Otherwise, you may be vulnerable to SQL injection attacks.
Do you know why this conversion happen? And how to switch off this conversion.
Switch it off with care. If you do that, users may log in with SQL commands, and do strange things to your DB. Alan DeKok.