Re: malformed sql queries

From: Blue Boar (BlueBoarat_private)
Date: Sat Dec 29 2001 - 20:18:42 PST

Next message: pktd: "Segmentation fault in BitchX"

Previous message: Peter Gutmann: "Re: malformed sql queries"
In reply to: Peter Gutmann: "Re: malformed sql queries"
Next in thread: Francois Scala: "Re: malformed sql queries"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Peter Gutmann wrote:
> 
> I was more concerned about people doing things like using %39 to escape
> filtering for ' characters, a la Microsoft's continuing ".." problems.

That's something I was curious about as well.  I know parts of 
Microsoft's version of the TDS protocol are done in Unicode.  If you
pass the appropriate escape character in Unicode, the script
that's trying to strip out dangerous stuff wouldn't catch it.

The only problem I can see is how do you keep IIS from decoding the
Unicode first (talking about web form access, obviously.)

					BB

Next message: pktd: "Segmentation fault in BitchX"
Previous message: Peter Gutmann: "Re: malformed sql queries"
In reply to: Peter Gutmann: "Re: malformed sql queries"
Next in thread: Francois Scala: "Re: malformed sql queries"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Dec 29 2001 - 20:30:31 PST