Avoiding passing DB info in the URL (was: RE: [thelist] Avoiding Divide by Zero within SQL...)
Rory.Plaire at wahchang.com
Rory.Plaire at wahchang.com
Fri Nov 30 13:37:29 CST 2001
+| Be careful with some of the stock ASP data munging routines.
+| If you pass
+| them a NULL, they blow up. Wrap these functions in a custom
+| function to
+| test for Null (or Blank) first.
One should also be careful of passing DB field values which are then used in
queries... malicious users could append their own versions of the queries
(like ;TRUNCATE TABLE;) to the values. Bye bye data... 8(
There was a CF tip about this very thing a short while ago... maybe the tip
harvester picked it up already. I think the title was "ColdFusion Security".
Maybe including some scrubbing code in the functions for these nasty
statements would also be wise...
<rory disposition="hackers... can't live with 'em, can't live w/o them."
alt="8}"/>
More information about the thelist
mailing list