× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



On Wed, 3 Jan 2007, Joe Pluta wrote:

From: rob@xxxxxxxxx

It has been pointed out to me that my ftp exit point has a bug.  I check
the first few characters.  For example I will only allow you to change
directory into certain directories.  However, someone pointed out a common
error.  What about cd
/ToDirectoryThatRobInsistsUpon/../TheOneThatTheSneakyBastardWantsInto

Other common errors?  How about the traditional web hack that someone puts
up a search screen that prompts you for certain values?  And then passes
those values via URL.  Then the hack is that you can manipulate how the
search data is represented in that url to darn near perform an entirely
different SQL statement.

Welcome to the web world.  The good news, though, is that those exploits are
very well documented and you should, with some research, be able to find all
of them and address them.  The SQL injection technique in particular is a
nasty one but one that has some very well-tested workarounds.

The SQL exit point can be a real pain, especially since you need to then
scan every SQL command and in a high-transaction environment that's going to
be ugly performance-wise.  That's why I recommend people just turn it off
and use a called program or a web service.  That way you have much easier
control over what's being allowed.

How is this any better than simply using prepared statements? AFAIK prepared statements completely remove the possibility of SQL injection attacks. Statement scanning becomes completely unnecessary.

James Rich

It's not the software that's free; it's you.
        - billyskank on Groklaw

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.