[thelist] Security Tip

Raymond Camden jedimaster at macromedia.com
Tue Apr 3 12:54:06 CDT 2001

> If you put your SQL in a URL parameter, all someone has to do is
> change the
> URL to run whatever query they want to run on your database.  In
> nearly all
> cases, this includes INSERT, UPDATE, and DELETE statements..  See
> where I'm
> going with this?

Or, let's say you pass an ID number, and you have sql that does this:

	update tblfoo
	set hit = 1
	where id = #URL.ID#

Some DBs let you do multiple sql statements just by appending a ;, so I
could change ?x=5 to ?x=5;drop+tablename.

Raymond Camden, Principal Spectra Compliance Engineer for Macromedia

Email   : jedimaster at macromedia.com
ICQ UIN : 3679482

"My ally is the Force, and a powerful ally it is." - Yoda

More information about the thelist mailing list