[ic] SQL query as cgi par: strange behavior

Stefan Hornburg (Racke) racke at linuxia.de
Fri Dec 2 15:50:39 UTC 2011

On 12/02/2011 04:36 PM, Marco Mescoli wrote:
>>> All you need to do is call that page with ?sku=drop+table+products and
>>> you
>>> will have a dead catalog.
>> Right.
> ?sql=drop+table+products
> You are a bad boy Racke.
> Sssshh, this is our secret ;-)

Writing your own code to build search/SQL queries gives you more flexibility
and can't be exploited like above.

Have fun


LinuXia Systems => http://www.linuxia.de/
Expert Interchange Consulting and System Administration
ICDEVGROUP => http://www.icdevgroup.org/
Interchange Development Team

More information about the interchange-users mailing list