Re: Handling javascript being entered into form fields...

Wed, 08 Nov 2000 04:33:28 -0800 

while we are at it.

Has anybody had to deal with users entering sql statements in fields not
intended to?

If you have something like this ,
  sql = "select * from secretdata where userid=" + user.getId() + " and
month=" + UserInput +";"

and needs to get some input from a form field (UserInput) and the user
inputs '12 or userid>0'

Then we get something like this
  sql=select * from secretdata where userid=xxx and month=12 or userid>0;
not quite what we intended to.
Or what about nasty join and like's they could easyly lay down a database
(at least if your running Access ;-)?

- Kasper

----- Original Message -----
From: "Chris Kimpton" <[EMAIL PROTECTED]>
To: "turbine" <[EMAIL PROTECTED]>
Sent: Wednesday, November 08, 2000 1:03 PM
Subject: Handling javascript being entered into form fields...


> Hi,
>
> We were just testing our site and someone found that they could put
javascript code into our tables - which was then processed upon
re-displaying the data!
>
> My first thoughts to handle this are to do a replace of chars like < and >
with the HTML printable versions - &lt; &gt;.
>
> So - anyone handled this before - does this seem like the best solution?
And anyone got a utility for it?  I can't see any obvious solutions in
Turbine/JSDK/JDK.
>
>
> If not, I could code it and contribute it back to turbine - as a
stringutil or parameter parsers method.
>
> It would take a string and replace the few special chars with there
encoded versions, for example < becomes &lt;
>
> Thanks,
> Chris
> ---
> "surely it is madness to accept life as it is and not as it could be"
> ______________________________________________
> FREE Personalized Email at Mail.com
> Sign up at http://www.mail.com/?sr=signup
>
>
> ------------------------------------------------------------
> To subscribe:        [EMAIL PROTECTED]
> To unsubscribe:      [EMAIL PROTECTED]
> Search: <http://www.mail-archive.com/turbine%40list.working-dogs.com/>
> Problems?:           [EMAIL PROTECTED]
>
>



------------------------------------------------------------
To subscribe:        [EMAIL PROTECTED]
To unsubscribe:      [EMAIL PROTECTED]
Search: <http://www.mail-archive.com/turbine%40list.working-dogs.com/>
Problems?:           [EMAIL PROTECTED]

Reply via email to