(03-20-2015, 04:53 AM)Me.B Wrote:(03-20-2015, 04:14 AM)KwiceroLTD Wrote:(03-19-2015, 07:47 AM)TGates Wrote: Yes, we know there are no know flaws in security right now. They have not shown any proof that the current release has any. If they do find them and post them up, we of course will jump right on it!
EDIT: They provided proof and good examples of the issues. Now we have something to work from then just 'vulnerabilities' LOL
I'm saddened by your immaturity on this matter. Security is very important.
There are multiple, MULTIPLE issues in this, and I don't even do auditing for a living or as a hobby.
Code:$sql = $zdbh->prepare("INSERT INTO $database.$table_name $insert");
Just a prime example, a safer practice would be:
Code:$sql = $zdbh->prepare("INSERT INTO ?.? ?");
$sql->execute(array($database, $table_name, $insert));
Therefore removing the possibility of SQL injection.
Thanks for the input we care for security and the above statement express only the point of view of TOM. You know we are many trying here our best and we might have different expertise area.
OK I agree SQL injection might be better prevented, I've even gone further and asked we move to stored procedures!
Well, I never said not everyone cared about security, it's clear ballen doesn't care about security.
It's time for Sentora to stop using fork of already vulnerable code, to spend a weekend, and just crack out a completely recoded version, otherwise you're just expanding and in-the-end creating more vulnerabilities rather than patching them.
My opinions are mine and mine alone. They do not reflect the opinions of my company, staff, and it's affiliates.
