> From: "Hal Kaplan" <[EMAIL PROTECTED]> > Date: Thu, August 24, 2006 12:57 pm > To: "ProFox Email List" <[email protected]> > => > => Anyone who blindly enters uncontrolled values into a > => SQL command is a complete moron. That form of injection was > => known and handled about a decade ago, when web pages were > => first used with databases. > => > => -- Ed Leafe > > Who said "Two most plentiful things on Earth are nitrogen and stupidity."? > > You are correct, sir. (To paraphrase a M$ ad) >
I have seen more first mistakes in the login page :) Where you are talking both username & PW it seems that the mindset is to see if the User & pw are correct by getting the data back. I have seen one system where first 4 letters of username are used to pull similar data from db. System then iterates through looking for username and if found then checking the pw entered. So how do others protect themself from raw user input when SPs are not worthy? _______________________________________________ Post Messages to: [email protected] Subscription Maintenance: http://leafe.com/mailman/listinfo/profox OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
