One should use parameterised SQL to get around that
For example:
Select *
>From MyTable
Where SomeField =
> -Original Message-
> From: Don Vawter [mailto:[EMAIL PROTECTED]]
> Sent: 19 December 2001 16:38
> To: CF-Talk
> Subject: Re: SQL Attacks (was Forms and
I have a page up which discusses this http://www.vawter.com/urlhack.cfm
- Original Message -
From: "Shawn Grover" <[EMAIL PROTECTED]>
To: "CF-Talk" <[EMAIL PROTECTED]>
Sent: Wednesday, December 19, 2001 9:32 AM
Subject: RE: SQL Attacks (was Forms and C
Don't forget the SQL attacks - similar to the type of attack we've been
discussing, but not addressed thus far.
Something like this:
Select *
From MyTable
Where SomeField = #Form.SomeField#
now if Form.SomeField were "b'; use dbname; drop table tablename; --'"
then Th
3 matches
Mail list logo