I might be wrong, but I think that Access will only allow one SQL statement
per query, that's why the ; DROP TABLE....
attack won't work.
As for other SQL commands that could cause damage - how about
exec xp_cmdshell
which allows you to execute DOS commands on the server? You don't need to
think very much before seeing the damage THAT one could do.....
-----Original Message-----
From: Chad Gray [mailto:[EMAIL PROTECTED]]
Sent: 10 July 2001 14:48
To: CF-Talk
Subject: RE: URL Hacks - Solution
I tried this kind of attack on a test page hooked up to a Access Database,
and could not get Access to drop the table. Does Access not recognize the
Drop Table SQL command?
Im also wonder what other SQL commands could be passed other than DROP that
could cause damage.
Im really glad this subject has come up.
At 05:42 PM 7/9/2001 -0400, you wrote:
>I think the script is a good first attempt and seems to address the URL
>hack threads previously that have gone around.
>
>so programatically (SQL wise) what else might one post in the string to
>pickup further data???... May the SQL gods speak...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
