Representative line


  • Winner of the 2016 Presidential Election

    Found in a classic ASP script littered with SQL injection vulnerabilities, the comment for a function which should not exist:




    '=========== Send EMAIL Through SQL ==============

    Capitalization preserved.

    Yes, it does exactly what it says... by concatenating a very long unescaped XML string interspersed with variables and inserting that into the database to be picked up by a SQL Server Agent process.



  • @joe.edwards said:

    Found in a classic ASP script littered with SQL injection vulnerabilities, the comment for a function which should not exist:




    '=========== Send EMAIL Through SQL ==============

    Capitalization preserved.

    Yes, it does exactly what it says... by concatenating a very long unescaped XML string interspersed with variables and inserting that into the database to be picked up by a SQL Server Agent process.

     

    what's the problem?



  • Bah, everyone knows that SQL is the real way to send EMAIL. Forget about things like s-mtp!



  • Someone could, by sending an email about SQL injection techniques, sabotage the db accidentally.



  • @HonoreDB said:

    Someone could, by sending an email about SQL injection techniques, sabotage the db accidentally.
     

     Wow - you've found a way to make xkcd references even more annoying!



  • @obediah said:

    @HonoreDB said:
    Someone could, by sending an email about SQL injection techniques, sabotage the db accidentally.
     

     Wow - you've found a way to make xkcd references even more annoying!

    Who said anything about xkcd?  Do you think he's referencing Bobby Tables?


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.