Representative line
-
Found in a classic ASP script littered with SQL injection vulnerabilities, the comment for a function which should not exist:
'=========== Send EMAIL Through SQL ==============
Capitalization preserved.
Yes, it does exactly what it says... by concatenating a very long unescaped XML string interspersed with variables and inserting that into the database to be picked up by a SQL Server Agent process.
-
@joe.edwards said:
Found in a classic ASP script littered with SQL injection vulnerabilities, the comment for a function which should not exist:
'=========== Send EMAIL Through SQL ==============
Capitalization preserved.
Yes, it does exactly what it says... by concatenating a very long unescaped XML string interspersed with variables and inserting that into the database to be picked up by a SQL Server Agent process.
what's the problem?
-
Bah, everyone knows that SQL is the real way to send EMAIL. Forget about things like s-mtp!
-
Someone could, by sending an email about SQL injection techniques, sabotage the db accidentally.
-
@HonoreDB said:
Someone could, by sending an email about SQL injection techniques, sabotage the db *accidentally*.
Wow - you've found a way to make xkcd references even more annoying!
-
@obediah said:
@HonoreDB said:
Who said anything about xkcd? Do you think he's referencing Bobby Tables?Someone could, by sending an email about SQL injection techniques, sabotage the db *accidentally*.
Wow - you've found a way to make xkcd references even more annoying!