Outlook annoyances (was: RE: [thelist] The Tao of asking question s on thelist)

Rory.Plaire at wahchang.com Rory.Plaire at wahchang.com
Wed Nov 21 16:19:22 CST 2001


+| me on this front include people not wrapping 
+| their text

On this note,

It appears that Outlook 2k mangles my plain text emails to the list (and I
presume anyone who gets plain text from me). I have looked in the mail
formatting options, but can't find where it allows me to hack of a line at,
say, 60 characters.

Can anyone tell me how to get Outlook 2k to wrap a line after 60 characters?

Let's see... a tip would help that one go down.

<tip type="ColdFusion security" author="rory"/>
Like to use ColdFusion to make a delicious database app?

How easy is it for me to enter into the First Name box on your delectable
and intuitive form: "hax0r d00d!!!', 'hahaha'); IF EXIST (tblUsers) DELETE
FROM tblUsers; IF EXIST (tblUser) DELETE FROM tblUser; IF EXIST (Users)
DELETE FROM Users; IF EXIST (User) DELETE FROM User; SELECT
UCASE('fried!!!!!!!'"?

If you have a CFQUERY updating your tables, you probably have a statement
like this one:

INSERT INTO 	tblUser
(			First_Name
,			Last_Name
)
VALUES
(			'#txtFirstName#'
,			'#txtLastName#'
)

which, when expanded, looks like this:

INSERT INTO	tblUser
(			First_Name
,			Last_Name
)
VALUES
(			'hax0r d00d!!!', 'hahaha'); IF EXIST (tblUsers)
DELETE FROM tblUsers; IF EXIST (tblUser) DELETE FROM tblUser; IF EXIST
(Users) DELETE FROM Users; IF EXIST (User) DELETE FROM User; SELECT
UCASE('fried!!!!!!!''
,			'all your data are not belong to you!!!!'
)

Its only a matter of time before Johnny Cracker finds out what will work...
and then, good bye data.

There are a couple of defenses:
1) Scrub your client form data on the server. Look for the SQL keywords that
can do nasty things: INSERT, UPDATE, DELETE and TRUNCATE and ALTER TABLE.
This could also go for javascipt, since people could put unsavory things in
a comment field which may be parsed by the browser. Stripping out
<script></script> tags from input is also a noteworthy step.

2) Use stored procedures. Then you can only pass parameters of a particular
type. There is no known way to get a parameter value to do nasty things.
Even MS Access can use SPs.
(http://www.sys-con.com/coldfusion/archives/0105/arehart/index.html)

3) Use the Val() function on input text which is to be a number. It returns
a 0 when the text doesn't parse to a number.

You think this is all? You just got started with the worst. Even if you
don't host your own server, there are things you could do to protect your
self and your ISP. Check out

http://www.katungroup.com/coldfusionsecurity.htm

for more satisfying details.
</tip>




More information about the thelist mailing list