I just tried it. Logging in as Donald Ball'; DROP TABLE employee;
does exactly what you think it would. It drops the table and the next time you try to log in, the table is gone and logins fail (DOH - does the hsql db get regenerated automatically somehow?) I have to run out but will put this in Bugzilla later. This combined with the fact that the mod-db stuff almost forces you to reveal your actual table and column names to the world in your request parameters amounts to big trouble. Geoff --- Torsten Curdt <[EMAIL PROTECTED]> wrote: > On Tue, 2002-11-05 at 19:53, Geoff Howard wrote: > > Speaking of protecting against SQL injection - is > it > > generally known that > DatabaseAuthenticatorAction.java > > is not using PreparedStatement? I wonder what > logging > > in as > > Donald Ball'; DROP TABLE user_table; > > > > would do...? > > Do you mind trying out and file a bug in bugzilla? > ;) > -- > Torsten > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: > [EMAIL PROTECTED] > For additional commands, email: > [EMAIL PROTECTED] > __________________________________________________ Do you Yahoo!? HotJobs - Search new jobs daily now http://hotjobs.yahoo.com/ --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
