People need to learn to sanitize SQL...
-
<font size="2" face="Arial">Microsoft OLE DB Provider for ODBC Drivers</font> <font size="2" face="Arial">error '80040e14'</font>
<font size="2" face="Arial">[Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near the keyword 'AND'.</font>
<font size="2" face="Arial">/voters/vtr_process.asp</font><font size="2" face="Arial">, line 94</font>
/Sigh.
From:
http://www.shapethefuture.org/voters/voter_status.asp
-
I won't say it is the "Real" WTF... but Classic ASP??? For a website centered around the 2008 Election???
C'mon, people!!!
-
Sanitize? No. Simply use parameters? Yes.
-
@jpaull said:
I won't say it is the "Real" WTF... but Classic ASP??? For a website centered around the 2008 Election???
C'mon, people!!!
I love this kind of comment. If you don't upgrade an existing app that is built on an "outdated" technology, you get comments like this one. If you do update it because it's on an "outdated" technology, you get "WTF??? Why update when the existing app is working fine."
-
@campkev said:
@jpaull said:
I won't say it is the "Real" WTF... but Classic ASP??? For a website centered around the 2008 Election???
C'mon, people!!!
I love this kind of comment. If you don't upgrade an existing app that is built on an "outdated" technology, you get comments like this one. If you do update it because it's on an "outdated" technology, you get "WTF??? Why update when the existing app is working fine."
Point taken.... However, the existing app apparently does NOT work fine and appears to be using embedded SQL, which by itself should warrant a re-write.
-
@jpaull said:
@campkev said:
@jpaull said:
I won't say it is the "Real" WTF... but Classic ASP??? For a website centered around the 2008 Election???
C'mon, people!!!
I love this kind of comment. If you don't upgrade an existing app that is built on an "outdated" technology, you get comments like this one. If you do update it because it's on an "outdated" technology, you get "WTF??? Why update when the existing app is working fine."
Point taken.... However, the existing app apparently does NOT work fine and appears to be using embedded SQL, which by itself should warrant a re-write.
None of which has anything to do with it being written in Classic ASP
-
Oh this one is gonna be wide open in 30 minutes.
A zip code of ';-- reveals:
<font size="2" face="Arial">Microsoft OLE DB Provider for ODBC Drivers</font> <font size="2" face="Arial">error '80040e14'</font>
<font size="2" face="Arial">[Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark after the character string ';-- AND AddrNum = AND BIRTHDATE = ''.</font>
<font size="2" face="Arial">/voters/vtr_process.asp</font><font size="2" face="Arial">, line 9</font>
I'm sure they're running as SA too. That box is toast.
-
Might be worth removing the URL while they still have a database?
Or am I just being too kind? :P
-
@fyjham said:
Might be worth removing the URL while they still have a database?
Or am I just being too kind? :P
Since it's for voter registration, I'd hope everone waits til late tomorrow to play :-)
-
Gee, I hope Bobby Tables doesn't visit that site...
-
@samanddeanus said:
Shouldn't matter, unless Bobby's Zip code is "90210; DROP DATABASE voters; --"Gee, I hope Bobby Tables doesn't visit that site...
-
Actually, that's not the database name, and the user name they log in with indicates they probably didn't give it rights to drop any databases. I didn't have the heart to try though.
