Just to clarify my earlier posting; The code I posted was server-side ASP Javascript. As a number of people have/will point out, running it at the client isn't going to help. I suspect the same methodology could be applied for other environments (coldfusion / perl DBI::DBD / php / etc). cheers vittal -- Vittal Aithal Revolution Ltd <tel: 0181 267 1000> <fax: 0181 267 1066> <vittal.aithalat_private> <http://www.revolutionltd.com/> <vittal.aithalat_private> <http://www.bigfoot.com/~vittal.aithal/> > -----Original Message----- > From: Bigby Findrake [mailto:bigbyat_private] > Sent: 25 May 1999 22:43 > To: BUGTRAQat_private > Subject: Re: Advisory: NT ODBC Remote Compromise > > > On Tue, 25 May 1999, Vittal Aithal wrote: > > > Here's some javascript stuff that'll clean up quotes and > things before > > having them sent off in a sql query... only tested with > access, so YMMV. > > Do keep in mind that while this will stop people from using the > aforementioned exploits *only when using your forms*. It is still > possible to download your web pages, remove the javascript > hooks, and then > submit their information, or call the CGI(if method GET is > accepted) by > hand and get around such security measures. >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:47:13 PDT