This problem had everything to do with variable types (which are evil). It turns out the foreach does nothing if the variable type is not an array, which means we completely bypass the mysql_real_escape_string in the foreach loop and we can SQL inject the field (we still have to escape out of the serialize, but that is just a few more quotes. Just another SQL injection exercise where too many people were trying to modify the same database at the same time..........
-- suntzu_II
No comments:
Post a Comment