Re: malformed sql queries
From: Blue Boar (BlueBoar@thievco.com)Date: 12/30/01
- Previous message: Peter Gutmann: "Re: malformed sql queries"
- In reply to: Peter Gutmann: "Re: malformed sql queries"
- Next in thread: Francois Scala: "Re: malformed sql queries"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 29 Dec 2001 20:18:42 -0800 From: Blue Boar <BlueBoar@thievco.com> To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Peter Gutmann wrote:
>
> I was more concerned about people doing things like using %39 to escape
> filtering for ' characters, a la Microsoft's continuing ".." problems.
That's something I was curious about as well. I know parts of
Microsoft's version of the TDS protocol are done in Unicode. If you
pass the appropriate escape character in Unicode, the script
that's trying to strip out dangerous stuff wouldn't catch it.
The only problem I can see is how do you keep IIS from decoding the
Unicode first (talking about web form access, obviously.)
BB
- Previous message: Peter Gutmann: "Re: malformed sql queries"
- In reply to: Peter Gutmann: "Re: malformed sql queries"
- Next in thread: Francois Scala: "Re: malformed sql queries"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
