| Author |
 Topic  |
|
|
Panhandler
Average Member
USA
783 Posts |
|
|
MarcelG
Retired Support Moderator
Netherlands
2625 Posts |
 Posted - 05 June 2006 : 14:55:51
|
I don't think the mod was fixed yet.
Best way is to look for all instances of request.querystring and request.form, and look how they're used in SQL queries.
Make sure they're allways sanatized, via the ChkString(..., "SQLString") method. |
portfolio - linkshrinker - oxle - twitter |
 |
|
|
Panhandler
Average Member
USA
783 Posts |
Posted - 05 June 2006 : 22:03:12
|
quote:
Originally posted by MarcelG
I don't think the mod was fixed yet.
Best way is to look for all instances of request.querystring and request.form, and look how they're used in SQL queries.
Make sure they're allways sanatized, via the ChkString(..., "SQLString") method.
Sorry. . .that's way too advanced for me.
I can't fill in the blanks and don't know what that means.
Short lesson would be appreciated at this point.
|
"5-in-1 Snitz Common Expansion Pack" - five popular mods packaged for easy install
". . .on a mote of dust, suspended in a sunbeam. . ."
HarborClassifieds
Support Snitz Forums
|
|
|
|
MarcelG
Retired Support Moderator
Netherlands
2625 Posts |
Posted - 06 June 2006 : 03:43:14
|
In short ; when you want to sanatize a string which is used in a SQL statement, you need to parse it through the ChkString function.
So, when we've got the string Request.Form("username"), and you would like to sanatize it, change it to this:
chkString(Request.Forum("username"),"SQLString") |
portfolio - linkshrinker - oxle - twitter |
|
|
|
Panhandler
Average Member
USA
783 Posts |
Posted - 06 June 2006 : 14:51:10
|
I'm pretty sure that 90 percent of Snitzers know how to implement that advice.
But I'm in the bottom 10 percent of the class.  
And I'm pretty sure that "username" refers to another variable, but I don't know what.
I've searched all the files for Request.Form in an attempt to figure it out. . .but no luck.
(I'm pretty sure that Request.Forum wasn't what you meant).
And I've Googled for: ChkString(..., "SQLString") in an attempt to educate myself.
There were some interesting results, but nothing helpful.
So, for me. . .still no progress.
|
"5-in-1 Snitz Common Expansion Pack" - five popular mods packaged for easy install
". . .on a mote of dust, suspended in a sunbeam. . ."
HarborClassifieds
Support Snitz Forums
|
|
|
|
AnonJr
Moderator
United States
5768 Posts |
Posted - 06 June 2006 : 14:54:35
|
Just so you know, ChkString is located in inc_func_common.asp - its a Snitz internal function.  |
Edited by - AnonJr on 06 June 2006 14:54:56 |
|
|
|
Panhandler
Average Member
USA
783 Posts |
Posted - 07 June 2006 : 09:00:09
|
quote:
Originally posted by AnonJr
Just so you know, ChkString is located in inc_func_common.asp - its a Snitz internal function.
Okay. . .last guess for me.
Apparently some coding is required in the inc_func_common.asp file,
probably under: function chkString(pString,fField_Type)
That's too far beyond my abilities to fabricate code on my own.
So, I'll have to leave "Private Messages" as a defective mod with a security leak and hope someone creates a patch for it sometime.
|
"5-in-1 Snitz Common Expansion Pack" - five popular mods packaged for easy install
". . .on a mote of dust, suspended in a sunbeam. . ."
HarborClassifieds
Support Snitz Forums
|
|
|
|
MarcelG
Retired Support Moderator
Netherlands
2625 Posts |
Posted - 07 June 2006 : 09:41:46
|
Panhandler, I would patch it, if I could find the time for it.
Unfortunately that's something that's lacking for me at the moment. |
portfolio - linkshrinker - oxle - twitter |
|
|
|
Panhandler
Average Member
USA
783 Posts |
|
| |
Topic |
|
Topic Locked
