Heh. And the worst part is that the guy himself probably did not realize he was doing something wrong. I find it pretty strange that people can still miss those simple security measures, when just about every manual or tutorial for web programming mentions, in one way or the other, the security rule #1: "Do not trust what your visitors submit". Or for that matter trust your visitors at all. Even the most benevolent user might submit something harmful, and what about the malicious?

Personally, I try to make sure that nothing that is submitted goes unchecked, especially if it might be part of a SQL query, or has any chance of being displayed back in the browser.

That said, I once, about two-three years ago, saw a site that had SQL statements embedded in the HTML! More specifically, in VB-scripts on the pages. I have no real idea how that worked, or why it would be in the client-side VB code... it is altogether possible that it didn't work, but was just some strange copy/paste error. Then again, given the total integration and (at least earlier) lack of security compared to "features" in Microsofts systems... I know very little about VB/ASP etc, and at that time I knew nothing. :) That doesn't mean it wasn't the real queries (with logic around it), including table names, column names, and variables passed in etc, and that could have been disastrous for those guys. "Gee, I wonder if I can end this submit with a semi-colon and then..." - well, you know the drill. Sadly, I never remembered to save that URL. I'm pretty sure it didn't last long anyways, at least not in that form.

Good node, and hopefully food for thought that will help one or two sites out there be more secure. :)

---

You have moved into a dark place.
It is pitch black. You are likely to be eaten by a grue.

---

---

• Are you posting in the right place? Check out Where do I post X? to know for sure.
• Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:

  <code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>

• Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
• Want more info? How to link or How to display code and escape characters are good places to start.