Re: malformed sql queries

From: Francois Scala (fscalaat_private)
Date: Sun Dec 30 2001 - 13:06:28 PST

Next message: Dom De Vitto: "RE: Grokster and possible trojan"

Previous message: hellNbak: "blackshell1: Multiple Prolems with Vandykes SecureCRT (fwd)"
In reply to: Gabriel A. Maggiotti: "malformed sql queries"
Next in thread: Kevin Hegg: "Re: malformed sql queries"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

"Gabriel A. Maggiotti" wrote:
> 
> 
>         http://www.host.com/file?id=121%20into%20outfile%20'/tmp/file.txt'
> 

The solution is, you must make a list of characters that you accept and
reject anything else.
And, you must decode/convert before filtering anything.

For this example, an "id" should contain only numbers or hexa chars.

"2114213" => good
"3244; drop table users" => bad, ";" not in the list

-- 
--=>[ Francois Scala / System & Network Administrator ]<=------------
--=>[ Phone: +33 1 40762339 / Fax: +33 1 40762425 ]<=----------------

Next message: Dom De Vitto: "RE: Grokster and possible trojan"
Previous message: hellNbak: "blackshell1: Multiple Prolems with Vandykes SecureCRT (fwd)"
In reply to: Gabriel A. Maggiotti: "malformed sql queries"
Next in thread: Kevin Hegg: "Re: malformed sql queries"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Dec 30 2001 - 16:59:49 PST