[Tfug] I got a real funny here...needs to stay in TFUG...

Liz Ravenwood Liz_Ravenwood at beaerospace.com
Fri Jul 1 08:12:36 MST 2011 

I must be a special kind of stupid because I'm not getting how that SQL could occur.

"INSERT INTO NameTable LASTNAME Values ('" & formfieldvalue & "')"

Where formfieldvalue = "Tables"

How does that change that field value to a True and especially when it is a text field and not a Boolean?

-----Original Message-----
From: tfug-bounces at tfug.org [mailto:tfug-bounces at tfug.org] On Behalf Of Jim March
Sent: Thursday, June 30, 2011 8:48 PM
To: Tucson Free Unix Group
Subject: Re: [Tfug] I got a real funny here...needs to stay in TFUG...

God.  Nobody gets it yet?

The family name involved: True

Now think about how that would get turned into "1".

Yeah.  It's accepting program code in the data fields.  So you could
do an SQL injection attack with a paper and pen: just fill out a fake
voter registration form for "Little Bobby Tables"...

:)

Jim

On Thu, Jun 30, 2011 at 8:36 PM, Dennis McCormick
<macsinitial65haus at gmail.com> wrote:
> On Thu, Jun 30, 2011 at 8:23 PM, Adrian <choprboy at dakotacom.net> wrote:
>> On Thursday 30 June 2011 18:47, Jim March wrote:
>>> Somewhat OT, but still computer security related.
>>>
>>> OK, so there's this electronic voter registration system out there.
>>> Won't say which until the report goes public.  Ain't used in AZ so
>>> don't freak out on me :).
>>>
>>> Somebody I know who monitors elections went through the voter
>>> registration lists and found a small number of cases where the
>>> person's last name was listed as "1".  Yeah.  Just the number one, no
>>> quotes.
>>>
>>> It turned out all of those people (most unrelated to each other) had
>>> the same last name.
>>>
>>> Care to guess what it was?
>>>
>>
>>
>> O'Malley? O'Rielly? O'...
>>
>>
>>
>> Adrian
>>
>>
> How about Juan?
>
> Dennis
>
> _______________________________________________
> Tucson Free Unix Group - tfug at tfug.org
> Subscription Options:
> http://www.tfug.org/mailman/listinfo/tfug_tfug.org
>

_______________________________________________
Tucson Free Unix Group - tfug at tfug.org
Subscription Options:
http://www.tfug.org/mailman/listinfo/tfug_tfug.org

This email (and all attachments) is for the sole use of the intended recipient(s) and may contain privileged and/or proprietary information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.

More information about the tfug mailing list