Please beware that the replacement suggested above opens a hole for SQL injection attacks...

This is a little concerning, however the code provided as an alternative did not work for me. SO, if a snippet could be placed that allowed functionality and security, it would be GREATLY appreciated! Thanks BTW for the fix Chris!

what folder do i find this comprofiler.php in?

eyekon1 wrote:

what folder do i find this comprofiler.php in?

nevermind, found it

beat wrote:

Sibling Chris wrote:

if your problems are exactly the same as I described mine were using mambo 4.5.3 then I would think the same fix I suggested to comprofiler.php will work, it certainly sorted things for me

in comprofiler.php look for

confirm(mosGetParameter($_REQUEST,'confirmcode','1');

and replace with

confirm( $_GET );

Thanks for finding the problem. I'm amazed that Mambo changed the mosGetParameter function...

But please beware that the replacement suggested above opens a hole for SQL injection attacks...
Instead, a SQL-safe replacement is:

[code:1]cbGetEscaped(isset($_GET) ? $_GET : ""«»);
[/code:1]

sort of a noob question.... but can someone explain what exactly is a SQL injection attack? and how would this affect a website if the above code was changed as suggested?

Post edited by: eyekon1, at: 2006/04/05 22:47

eyekon1 wrote:

sort of a noob question.... but can someone explain what exactly is a SQL injection attack? and how would this affect a website if the above code was changed as suggested?

Take a look there: SQL Injection Attacks by Example