Thanks Robert. That's what I'm not sure of. The PCi compliance scans are saying they are vulnerable to SQL injections, and if I enter something like this in a form field being inserted by a TAF:
Steve"); UPDATE customers… then look at the database table, that's exactly what's in there. Shouldn't it be: Steve\"); UPDATE customers… if it is being escaped? I have to admit to a lack of knowledge is this area, so I apologize if I'm misunderstanding what the PCI compliance outfit is looking for. I can send you the specific URL's in private if you'd like. Thanks! -- Steve On Aug 21, 2011, at 2:28 PM, Robert Shubert wrote: > Steve, > > I’d like to look at your specific situation in more detail. Escaping of > values in SQL statements should be automatically handled by TeraScript Server. > > Robert > > From: Steve Briggs [mailto:[email protected]] > Sent: Sunday, August 21, 2011 11:30 AM > To: [email protected] > Subject: Witango-Talk: Witango / TeraScript MySQL escape meta tag > > I need to convert a bunch of old TAF's for PCI compliance and I'm looking for > the easiest way to escape insert and update statements to avoid SQL > injections. Does anyone have a custom meta tag similar to PHP's > mysql_escape_string? i.e. <@MYSQLESCAPE <@POSTARG first_name>> > > Or any other suggestions as to the best way to go about this? > > Thanks! > > -- Steve > > > > > ************************************************** > Steve Briggs > Wow Pages > Portland, Maine > Longmont, Colorado > > 207-761-2450 > 888-325-5907 > > [email protected] > > ************************************************** > > > > > > > To unsubscribe from this list, please send an email to [email protected] > with "unsubscribe witango-talk" in the body. > > To unsubscribe from this list, please send an email to [email protected] > with "unsubscribe witango-talk" in the body. ************************************************** Steve Briggs Wow Pages Portland, Maine Longmont, Colorado 207-761-2450 888-325-5907 [email protected] ************************************************** ---------------------------------------- To unsubscribe from this list, please send an email to [email protected] with "unsubscribe witango-talk" in the body.
