-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi,
I am going over some in house code for my current employer. The code is used on an internal website to manage SLA's and other network device stats (Sort of a NMS). Anyway the site does not check user input very well (Affected by CSS) and I noticed the following line of code. $sql = "select designation from designation_desc where designation =\"$designation\""; This code is in a function that gets called directly from a few web pages without any input checking on the var $designation. I have little experience with MYSQL and when i try to insert a " to break it gets translated to a \" which of course does not allow for sql injection. I would like to be able to show my boss a demo of what can be done so that he will allocate time to get the website security problem fixed (particularly because the database stores community strings for routers and switches). If anyone can help it would be very greatful. Ashley Woodbridge. Network Engineer B.IT CCNP -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBPGIT//lE2kyUK9QFEQIv7wCfTtLL0Ugtn97qggXdpClKZWlUV2wAoJyN 0VRMqU/DATfAxgU9JgCW8/pF =MBsx -----END PGP SIGNATURE-----
