1) sorry about cross posting (that's the trouble with the digest).
2) OK guv it's a fair cop (though I like to think that when accepting
parms from a form I always got them from drop down lists)
3) The plot thickens a bit more - you *can* create a variable of [admin'
&&] using 'antique' code but it still doesn't run from the command line:
CREATE CURSOR users (user C(5), password c(5))
INSERT INTO users values('poo', 'bear')
INSERT INTO users values('meme', 'pass')
INSERT INTO users values('admin', '3j&Kv@')
accept 'Enter username ' to xuser && admin' &&
xpass = 'abc'
SELECT * FROM users WHERE user = ?xuser AND password = ?xpass
?_TALLY && 0
**/** BUT **/**
lvar = "Select * From Users where user = '" + xuser + "' And password =
'" + xpass + "'"
&lvar
?_TALLY && 1 !!!! for the snark was a boojum you see !!!
AndyD 8-)₹
On 19:59, Grigore Dolghin wrote:
> <snip> in last 10 minutes I have created an example
> which can be downloaded from here:
>
> www.class-software.eu/sqlparameters.zip
>
> Username: admin
> Password: adminpass
>
> The program will show how many records have been selected (1, the admin
> user)
>
> Then enter this:
>
> Username: admin'&&
> Password: any random password
>
> The app will select the same record.
>
> Then comment top lines and uncomment the below ones, try the trick again
> and tell me if the user was logged in.
>
> <<snip>>
_______________________________________________
Post Messages to: [email protected]
Subscription Maintenance: http://leafe.com/mailman/listinfo/profox
OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech
Searchable Archive: http://leafe.com/archives/search/profox
This message: http://leafe.com/archives/byMID/profox/[email protected]
** All postings, unless explicitly stated otherwise, are the opinions of the
author, and do not constitute legal or medical advice. This statement is added
to the messages for those lawyers who are too stupid to see the obvious.
