if someone can run a query from a url, all they have to do is get to the
sysobjects table (a known table in ss7) thhen, if done properly, your code
will display ever table name in the database. they could then insert
orders (yes even as strings though that is a bit harder), or query teh
credit card information.. there is a whole lot that can be done. make
sure that you keep people from running queryies in the url. use validation
at all times.
-chris
ps if you want help securing your site, emil me privately and i'll give
you some insights.
On Tue, 22 May 2001, Pooh Bear wrote:
> hey, I was wondering what are the least amount of information someone needs
> to compromise my database or code? I am.....err..."hacking?" my
> site/database through the URL. So far, I've got 2 tablenames, the
> datasource, and some field names. I dont want to have to do a lot of coding
> to prevent this from being seen by someone else, but i will if have to, but
> first i want to know if anyone could do anything with this much information.
> Thanx! :)
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
