hi Dave.
Quote:
1) Is there any way of making a post like that without getting the */ added at the end?
Turn off the option
If XOOPS_DB_PREFIX is not known by attackers, there are few threat by SQL injection attack.
I think the better argorithm like POST checking will be ok if some "invalid string as SQL" found before the first of '/*'
Quote:
2) Is that check really necessary? How could someone exploit that?
Isolated '/*' makes easier SQL Injection.
eg)
the vulnerability:
"SELECT title FROM ".$xoopsDB->prefix("foo")." WHERE storyid='{$_GET['id']}' AND status>0" ;
Attacker can do:
?id=1'+UNION+SELECT+password+FROM+xoops_users+ORDER+BY+...+/*
I'm sorry that I didnot check the typo in this attack
Anyway, you can easily understand the isolated '/*' is necessary.
Protector rewrites the request likt this:
?id=1'+UNION+SELECT+password+FROM+xoops_users+ORDER+BY+...+/**/
You can also understand this cause SQL error, and attackers can't get the hashed password from users table.
*/