[ic] SQL Injection?

Bob Puff bob at nleaudio.com
Wed Sep 24 15:18:59 UTC 2014

Peter and Mike: thanks for the reply.  Yes, I have grepped all around, and
have fixed the few sql queries I did find.  But what is still escaping me is
in this list of paremeters:

> field=x'%20xor%20sleep(15)%20/*&mv_substring_match=1&mv_searchspec=123

I cannot find where there is a SQL statement that has mv_search_field in it,
so that I can filter it.  This one though obviously is a parameter for a SQL
statement.  Do I need to look inside /usr/local/interchange?

But this one:

> ail=123&mv_same_billing=1&email_copy=1&promo_code=123&country_reset=123

They have done their insertion into mv_nextpage, of which I would think would
never hit the SQL, as that is internally used by IC.  I could see if it were
like city or state, which does get inserted into the database, but mv_nextpage?


More information about the interchange-users mailing list