[ic] SQL query as cgi par: strange behavior

Stefan Hornburg (Racke) racke at linuxia.de
Fri Dec 2 15:50:39 UTC 2011


On 12/02/2011 04:36 PM, Marco Mescoli wrote:
>>> All you need to do is call that page with ?sku=drop+table+products and
>>> you
>>> will have a dead catalog.
>>>
>>
>> Right.
>
> ?sql=drop+table+products
>
> You are a bad boy Racke.
> Sssshh, this is our secret ;-)
>

Writing your own code to build search/SQL queries gives you more flexibility
and can't be exploited like above.

Have fun

	Racke

-- 
LinuXia Systems => http://www.linuxia.de/
Expert Interchange Consulting and System Administration
ICDEVGROUP => http://www.icdevgroup.org/
Interchange Development Team




More information about the interchange-users mailing list