There is a security bug in members.asp that everyone should fix ASAP. Here is what to do:
find this section of code (near the top of members.asp):
if Request.QueryString("method") <> "" then
SortMethod = Request.QueryString("method")
end if
SearchName = Request("M_NAME")
if SearchName = "" then
SearchName = Request.Form("M_NAME")
end if
srchUName = Request("UserName")
srchFName = Request("FirstName")
srchLName = Request("LastName")
srchInitial = Request("INITIAL")
mypage = request("whichpage")
Replace it with this:
if trim(chkString(Request.QueryString("method"),"SQLString")) <> "" then
SortMethod = trim(chkString(Request.QueryString("method"),"SQLString"))
end if
SearchName = trim(chkString(Request("M_NAME"),"SQLString"))
if SearchName = "" then
SearchName = trim(chkString(Request.Form("M_NAME"),"SQLString"))
end if
srchUName = trim(chkString(Request("UserName"),"SQLString"))
srchFName = trim(chkString(Request("FirstName"),"SQLString"))
srchLName = trim(chkString(Request("LastName"),"SQLString"))
srchInitial = trim(chkString(Request("INITIAL"),"SQLString"))
if IsNumeric(srchUName) <> True then srchUName = "1"
if IsNumeric(srchFName) <> True then srchFName = "0"
if IsNumeric(srchLName) <> True then srchLName = "0"
if IsNumeric(srchInitial) <> True then srchInitial = "0"
mypage = trim(chkString(request("whichpage"),"SQLString"))
Please direct all discussions on this bug-fix here:
http://forum.snitz.com/forum/topic.asp?TOPIC_ID=26776
Topic Locked
Posted - 23 April 2002 : 14:41:29
