I'm pretty sure it doesn't happen that way else there would be no need for the Direct SQL action if you could run an SQL from a field just by typing an SQL statement in a field and running a query against the database...
Joe -----Original Message----- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] Behalf Of Dwayne Martin Sent: Wednesday, January 02, 2008 2:48 PM To: [email protected] Subject: Remedy and SQL injection attacks Hello Everyone, Here is an issue I have just become aware of, and am wondering how Remedy handles the danger, or if it even is a danger. It seems that if a web page accepts data input, and uses that data to query a database, the user can insert a value like: "whatever;do something nasty;--". Then if the web page uses this value to query the database, the database will actually perform the "do something nasty" command, which could be anything from dropping a table to giving somebody administrator permissions. (For a neat little cartoon illustrating this danger see: http://xkcd.com/327/.) So my question is, Does this apply to Remedy data input or queries? Suppose somebody queries a Remedy form for entries where a particular field = "whatever;do something nasty;--". Or they enter their name as "whatever;do something nasty;--"? Will the database do something nasty, or does Remedy take precautions against it, or is there no danger in the first place? Dwayne Martin James Madison University No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.17.13/1206 - Release Date: 1/1/2008 12:09 PM _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are"
