[thelist] Security Tip

Seth Bienek seth at sethbienek.com
Tue Apr 3 11:41:21 CDT 2001

> As a related note, if you ever pass via the query string the name of the
> file to include/locate to... don't.

And while we're on the subject... Don't ever ever ever pass an SQL query in
a URL (and you should probably be careful of even what "parts" of SQL you
pass in a URL).

A former employer of mine hired a guy to redo his site after I left (`cause
he wanted frames!), and the kid basically converted my CF code to ASP..
Well, he also had to produce a couple of new templates, and since they were
very similar except for the SQL, he used the same template, and just passed
the SQL in the URL (enough TLA's for ya?).

Well, they emailed me to ask what I thought of the "new" site and I had to
let them have it (My reaction was something like: "My BABY! What have you
bastards done to my baby?!"..

Anyhoo..  One of the things I noticed was the SQL in the URL and I explained
to them that...

If you put your SQL in a URL parameter, all someone has to do is change the
URL to run whatever query they want to run on your database.  In nearly all
cases, this includes INSERT, UPDATE, and DELETE statements..  See where I'm
going with this?


Seth Bienek
Solutions Development Manager
Stonebridge Technologies, Inc.
972.455.7294 tel
972.404.9754 fax
ICQ #7673959

More information about the thelist mailing list