[thelist] Website Hacked?

Anthony Baratta anthony at baratta.com
Sat May 24 17:46:14 CDT 2008

Joel D Canfield wrote:
> I'm not sure what's happening to my own db at Crystal Tech, but two
> weeks ago an entire table had a script string dumped into every text
> field. They said "we'll just restore it" without much comment on how it
> happened (they were, in fact, just slightly evasive, which concerned me)
> and now it's happened again. Last time I didn't push for their
> explanation re: whether it was them or me; this time, I'll have to. (The
> only forms I use for the table in question are in a password-secured
> area, not available to anyone but me, so I'm baffled.)


It's not a form hijack issue, it's anytime you use a querystring to pass 
data to an SQL state - even a SELECT!

e.g. view.asp?id=300

See my previous 3:40p post for more info.

Check your data types (strong typing is critical) before passing on or 
building your SQL!!!

Anthony Baratta

"Victory at all costs, victory in spite
of all terror, victory however long and
hard the road may be; for without victory
  there is no survival."
-- Winston Churchill

More information about the thelist mailing list