Representative line


  • Considered Harmful

    Found in a classic ASP script littered with SQL injection vulnerabilities, the comment for a function which should not exist:


    '=========== Send EMAIL Through SQL ==============

    Capitalization preserved.

    Yes, it does exactly what it says... by concatenating a very long unescaped XML string interspersed with variables and inserting that into the database to be picked up by a SQL Server Agent process.



  • @joe.edwards said:

    Found in a classic ASP script littered with SQL injection vulnerabilities, the comment for a function which should not exist:


    '=========== Send EMAIL Through SQL ==============

    Capitalization preserved.

    Yes, it does exactly what it says... by concatenating a very long unescaped XML string interspersed with variables and inserting that into the database to be picked up by a SQL Server Agent process.

     

    what's the problem?



  • Bah, everyone knows that SQL is the real way to send EMAIL. Forget about things like s-mtp!



  • Someone could, by sending an email about SQL injection techniques, sabotage the db accidentally.



  • @HonoreDB said:

    Someone could, by sending an email about SQL injection techniques, sabotage the db *accidentally*.
     

     Wow - you've found a way to make xkcd references even more annoying!



  • @obediah said:

    @HonoreDB said:
    Someone could, by sending an email about SQL injection techniques, sabotage the db *accidentally*.
     

     Wow - you've found a way to make xkcd references even more annoying!

    Who said anything about xkcd?  Do you think he's referencing Bobby Tables?


Log in to reply