Open your application, please, and in any textbox that is used for a SELECT operation, enter this: "'] (exactly as I typed - double quote, single quote, close square bracket). And please let me know what happened.
-----Original Message----- From: profoxtech-boun...@leafe.com [mailto:profoxtech-boun...@leafe.com] On Behalf Of Ken Dibble Sent: Saturday, June 25, 2011 7:30 AM To: profoxt...@leafe.com Subject: Re: [NF] Questions on migrating VFP app > > In order to execute code that modifies a table you have to have a > > valid EXECUTABLE statement, right? > > > > So something like "DROP TABLE" would be a bad thing. What I don't > > understand is how any sane person would design a query interface > > that results in a statement like "DROP TABLE" being *executed*. >---------------------- > ><http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/> Well yeah, if you have complete unfettered access to a server you can, I imagine, run any number of horrible exectable statements on it. However it would appear that all of these multitudinous examples rely on just two basic obvious dimwitted moves: 1. Allowing somebody to type in the name of a table or field instead of making them choose it from a list of valid options. 2. Somehow allowing strings to be entered into a SQL statement without enclosing them in appropriate delimiters. So again I ask, why would anybody design a data-entry or query interface that lets people do that? Ken Dibble www.stic-cil.org [excessive quoting removed by server] _______________________________________________ Post Messages to: ProFox@leafe.com Subscription Maintenance: http://leafe.com/mailman/listinfo/profox OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/000001cc3321$3908ff10$ab1afd30$@gmail.com ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
