On Aug 24, 2006, at 2:37 PM, [EMAIL PROTECTED] wrote:
The hacker breaks into the system by injecting malformed SQL into the
query. This particular hack works
because the executed query is formed by the concatenation of a fixed
string and values entered by the user, as shown here:
Bzzzzzt!!
Anyone who blindly enters uncontrolled values into a SQL command is
a complete moron. That form of injection was known and handled about
a decade ago, when web pages were first used with databases.
-- Ed Leafe
-- http://leafe.com
-- http://dabodev.com
_______________________________________________
Post Messages to: [email protected]
Subscription Maintenance: http://leafe.com/mailman/listinfo/profox
OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech
** All postings, unless explicitly stated otherwise, are the opinions of the
author, and do not constitute legal or medical advice. This statement is added
to the messages for those lawyers who are too stupid to see the obvious.
