> Since nearly all SQL injection attempts come through the URL > (including the recent ones), that is where I put the focus.
Nearly all automated SQL injection attempts come through the URL. The ones that, say, compromise peoples' credit card data, they typically come from forms. > With this script I would not recommend checking the form > scope as there is too high a risk of false positives. I've > never heard of an injection attack coming through CGI > variables. I suppose it's possible, but the percentage of > queries using CGI scope data is probably minuscule compared > to URL variables. Again, targeted attacks will attempt to use any data that comes from the client. A brief review of the available tools for pen testing will show you that. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310448 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
