Just a question. Please dont take it wrong.
Can you send a "DROP TABLE mytable" in the following example of a XSP page? I
am using mod-db stuff too.
SELECT * FROM mytable
WHERE mytable_id=
Integer.parseInt(
)
Antonio Gallardo
El Martes, 05 de Noviembre de 2002 14:38, Geoff Howard escribió:
> I just tried it. Logging in as
>
> Donald Ball'; DROP TABLE employee;
>
> does exactly what you think it would. It drops the
> table and the next time you try to log in, the table
> is gone and logins fail (DOH - does the hsql db get
> regenerated automatically somehow?)
>
> I have to run out but will put this in Bugzilla later.
>
>
> This combined with the fact that the mod-db stuff
> almost forces you to reveal your actual table and
> column names to the world in your request parameters
> amounts to big trouble.
>
> Geoff
>
> --- Torsten Curdt wrote:
> > On Tue, 2002-11-05 at 19:53, Geoff Howard wrote:
> > > Speaking of protecting against SQL injection - is
> >
> > it
> >
> > > generally known that
> >
> > DatabaseAuthenticatorAction.java
> >
> > > is not using PreparedStatement? I wonder what
> >
> > logging
> >
> > > in as
> > > Donald Ball'; DROP TABLE user_table;
> > >
> > > would do...?
> >
> > Do you mind trying out and file a bug in bugzilla?
> > ;)
> > --
> > Torsten
>
> ---------------------------------------------------------------------
>
> > To unsubscribe, e-mail:
> > cocoon-dev-unsubscribe@xml.apache.org
> > For additional commands, email:
> > cocoon-dev-help@xml.apache.org
>
> __________________________________________________
> Do you Yahoo!?
> HotJobs - Search new jobs daily now
> http://hotjobs.yahoo.com/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: cocoon-dev-unsubscribe@xml.apache.org
> For additional commands, email: cocoon-dev-help@xml.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: cocoon-dev-unsubscribe@xml.apache.org
For additional commands, email: cocoon-dev-help@xml.apache.org