Hi, while this article is interesting I want to point out that though you might be using Direct DBMS, WiTango has by default SQL encoding setup in the t4server.ini file which will escape the characters properly for insert into the DB, and therefore such commands cannot be passed.
Now if you DID turn SQL Encoding off, you're still not in trouble. Why? Well it depends actually. If you setup a user which WiTango connects as to have admin rights, then you're asking for trouble in the first place. When you're in a deployment environment, never ever setup a user which can create, drop or make any alterations to the database. Basically the only rights a WiTango connections should have is select, insert, update and delete to the DB. If you need to run stored procedures then add that right only and only add it to run within a certain table structure not database wide. I think the article can be more alarming to people than it should be. ASP is a security hole in itself to begin with (no pun intended). R Niall Merrigan wrote: >Hey guys and girls > >This might and might not apply to witango (depends on your app structure) >but will probably apply if you use Direct DBMS actions > >http://www.sqlsecurity.com/DesktopDefault.aspx?tabindex=2&tabid=3 > >Niall > > > > >________________________________________________________________________ >TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED] > with unsubscribe witango-talk in the message body > > ________________________________________________________________________ TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED] with unsubscribe witango-talk in the message body
