|
0.02 Euro in addition to what the others already said: Rule of thumb: ' is for SQL, " is for Net.Data. Hackers/Crackers can easily change your SQL by entering ' in your input fields. To avoid this, replace WHERE BWNMID = '$(CGIINP03)' with WHERE BWNMID = '@DTW_rADDQUOTE(CGIINP03)' The same is true for the input fields, those can be "destroyed" by entering "></body></html>". <input type="text" name="myvar" value="$(myvar)"> should be <input type="text" name="myvar" value="@DTW_rHTMLENCODE(myvar)"> Good luck! -- Mit freundlichen Grüssen / best regards Anton Gombkötö Organisation und Projektleitung Avenum Technologie GmbH Wien - Salzburg - Stuttgart http://www.avenum.com
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
