RE: [U2] Stringing commands together on the command line. Possible?

Sun, 28 Oct 2007 23:39:01 -0800 

Don't have access to UV at present, but wonder if the following INPUT
would do the "trick"

> ' AND WITH EVAL "EXECUTE 'CLEAR.FILE CLIENT'" = '

                                       

Ross Ferris
Stamina Software
Visage > Better by Design!


>-----Original Message-----
>From: [EMAIL PROTECTED] [mailto:owner-u2-
>[EMAIL PROTECTED] On Behalf Of penno
>Sent: Monday, 29 October 2007 11:45 AM
>To: u2-users@listserver.u2ug.org
>Subject: RE: [U2] Stringing commands together on the command line.
>Possible?
>
>Hi Bill, David, all
>
>I'm getting the answers I want. (c: I'm glad it doesn't look like it's
>possible.
>
>I should have explained myslef more clearly. I'm looking at it from a
>security point of view. I read this comic the other day,
>
>http://xkcd.com/327/
>
>and wondered if there was a risk of malicious code insertion with our
>inhouse programs. For instance suppose there was a program like this
>(and
>it's been a while since I've programmed, so I hope you'll all get the
>gist
>of it!):
>
>>CRT "INPUT MEMBER NAME: "
>>INPUT MEM.NAME
>>
>>EXECUTE "SELECT CLIENT WITH MEMBER.NAME = '":MEM.NAME:"'"
>
>Innocuous enough. Now, assume for a minute the ";" delimiter worked
like
>in
>unix. And suppose a malicious user, when prompted for MEM.NAME,
entered:
>
>>FRED' ; CLEAR.FILE CLIENT ; CRT 'NOTHING
>
>From what I can tell, this would execute a CLEAR.FILE on CLIENT. I
would
>like to be sure that this kind of thing's not possible. So far, so
good.
>(c:
>Thanks for your speedy answers.
>
>Penno
>
>
>
>Bill Haskett wrote:
>>
>> Penno:
>>
>> As far as I know, this won't work.  However, I can think of three
ways
>to
>> accomplish
>> this:
>>
>>
>
>--
>View this message in context: http://www.nabble.com/Stringing-commands-
>together-on-the-command-line.-Possible--tf4688153.html#a13459953
>Sent from the U2 - Users mailing list archive at Nabble.com.
>-------
>u2-users mailing list
>u2-users@listserver.u2ug.org
>To unsubscribe please visit http://listserver.u2ug.org/
-------
u2-users mailing list
u2-users@listserver.u2ug.org
To unsubscribe please visit http://listserver.u2ug.org/

Reply via email to