[thelist] Website Hacked?
Anthony Baratta
anthony at baratta.com
Sat May 24 17:46:14 CDT 2008
Joel D Canfield wrote:
>
> I'm not sure what's happening to my own db at Crystal Tech, but two
> weeks ago an entire table had a script string dumped into every text
> field. They said "we'll just restore it" without much comment on how it
> happened (they were, in fact, just slightly evasive, which concerned me)
> and now it's happened again. Last time I didn't push for their
> explanation re: whether it was them or me; this time, I'll have to. (The
> only forms I use for the table in question are in a password-secured
> area, not available to anyone but me, so I'm baffled.)
Joel...
It's not a form hijack issue, it's anytime you use a querystring to pass
data to an SQL state - even a SELECT!
e.g. view.asp?id=300
See my previous 3:40p post for more info.
Check your data types (strong typing is critical) before passing on or
building your SQL!!!
--
Anthony Baratta
"Victory at all costs, victory in spite
of all terror, victory however long and
hard the road may be; for without victory
there is no survival."
-- Winston Churchill
More information about the thelist
mailing list