Hello Everyone, Here is an issue I have just become aware of, and am wondering how Remedy handles the danger, or if it even is a danger.
It seems that if a web page accepts data input, and uses that data to query a database, the user can insert a value like: "whatever;do something nasty;--". Then if the web page uses this value to query the database, the database will actually perform the "do something nasty" command, which could be anything from dropping a table to giving somebody administrator permissions. (For a neat little cartoon illustrating this danger see: http://xkcd.com/327/.) So my question is, Does this apply to Remedy data input or queries? Suppose somebody queries a Remedy form for entries where a particular field = "whatever;do something nasty;--". Or they enter their name as "whatever;do something nasty;--"? Will the database do something nasty, or does Remedy take precautions against it, or is there no danger in the first place? Dwayne Martin James Madison University _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are"
