>
>All of the examples you've shown me so far rely on the ability to inject
>characters that break the line. I've just spent a few hours searching this
>topic on Google and I can't find a single example that doesn't rely on
>injecting characters that break the line. In that case, why would not
>something as simple as this work?
>
>* Regular expressions would make this easier but I'm no expert on those...
>IF (NOT ("&" + "&") $ mylogin) ;
> AND (NOT "--" $ mylogin) ;
> AND (NOT ";" $ mylogin) && And whatever else you want to test for...
> * Concatenate and execute
>ELSE
> * MESSAGEBOX("Invalid Login.")
>ENDIF
Wouldn't you know, soon after I sent this, I found this one:
' or '1'='1
So the code would have to be
mylogin = ALLTRIM(mylogin)
mypassword = ALLTRIM(mypassword)
IF (NOT ("&" + "&") $ mylogin) ;
AND (NOT "--" $ mylogin) ;
AND (NOT ";" $ mylogin) ;
AND (NOT LEFT(mylogin,1) == "'") ;
AND (NOT ("&" + "&") $ mypassword) ;
AND (NOT "--" $ mypassword) ;
AND (NOT ";" $ mypassword) ;
AND (NOT LEFT(mypassword,1) == "'")
* Concatenate and execute.
ELSE
* Invalid input.
ENDIF
Ken Dibble
www.stic-cil.org
_______________________________________________
Post Messages to: [email protected]
Subscription Maintenance: http://leafe.com/mailman/listinfo/profox
OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech
Searchable Archive: http://leafe.com/archives/search/profox
This message:
http://leafe.com/archives/byMID/profox/[email protected]
** All postings, unless explicitly stated otherwise, are the opinions of the
author, and do not constitute legal or medical advice. This statement is added
to the messages for those lawyers who are too stupid to see the obvious.
