[thelist] Security issue

Chris Blessing webguy at mail.rit.edu
Tue Jun 25 08:09:01 CDT 2002


You should build a small function to help you counter these types of
"hacks".  I have one that goes like this:

function dbIn(str)
	' replace single quote with 2 single quotes
	' replace double quote with 2 double quotes
	' put a single quote on each side of this string
end function

This allows the data to be prepped before being used in the sql.  It's also
easily reversable if you need to build a function to do it.


Chris Blessing
webguy at mail.rit.edu

> Guys,
> I just managed to "hack" into one of my older authentication scripts
> (in ASP) by typing:
> x' or 1=1 --
> in the user field.
> On the newer scripts (PHP) it didn't work.
> I guess it also depends on the way the SQL query is formulated...
> Anyone come across this before? What do you think about it?
> Nedret

More information about the thelist mailing list