> It looks to me like a malicious user could stick damned near anything in
there,
> unfortunately.
>
> If you're only going to put a single condition in there, I reckon the
easiest
> way to solve the problem would be to strip all spaces out of their string.
No can do, since there is already a situation where I pass in multiple
conditions.
If I just dropped (or aborted upon the discovery of) the semi color
character, would that effectively prevent users from "chaining" commands
together? I'm not interested in preventing malformed SQL statements (a
CFCATCH block will catch DB errors), I'm just interested in preventing users
from exploiting this system.
Thanks for the thoughts,
Seth
------------------------------------------------------------------------------
Archives: http://www.mail-archive.com/[email protected]/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
