Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
Author |
Topic |
Rauken
Posting Yak Master
108 Posts |
Posted - 2004-09-10 : 08:54:28
|
This might be old news but it's surprising how often it works. If you come to a login webpage, try enter following in the username, pwd fields:' or 1=1 --There are so many sites that does not check for invalid characters. This little sql code ends the username string says username can be true and comments the rest of the sql code.The sql code will look something like this:SELECT * FROM users WHERE username = '' OR 1=1 -- |
|
X002548
Not Just a Number
15586 Posts |
Posted - 2004-09-10 : 11:59:00
|
Doesn't work here...thank the lord...and the blogs are safe as well...Brett8-) |
|
|
DustinMichaels
Constraint Violating Yak Guru
464 Posts |
Posted - 2004-09-10 : 12:01:09
|
I'm glad it didn't work on my site! I think the trick to get around this is to paramaterize (sp?) all of the inputs to your sql statements. |
|
|
graz
Chief SQLTeam Crack Dealer
4149 Posts |
Posted - 2004-09-10 : 13:05:31
|
Either parameterize them or remove all single quotes from any string going to SQL Server. I always try to use stored procedures myself. You can do a Google search on "SQL Injection" to find more information.===============================================Creating tomorrow's legacy systems today.One crisis at a time. |
|
|
|
|
|