Vulnerability Development mailing list archives
Re: malformed sql queries
From: Blue Boar <BlueBoar () thievco com>
Date: Sat, 29 Dec 2001 20:18:42 -0800
Peter Gutmann wrote:
I was more concerned about people doing things like using %39 to escape filtering for ' characters, a la Microsoft's continuing ".." problems.
That's something I was curious about as well. I know parts of Microsoft's version of the TDS protocol are done in Unicode. If you pass the appropriate escape character in Unicode, the script that's trying to strip out dangerous stuff wouldn't catch it. The only problem I can see is how do you keep IIS from decoding the Unicode first (talking about web form access, obviously.) BB
Current thread:
- malformed sql queries Gabriel A. Maggiotti (Dec 29)
- Re: malformed sql queries JayBonci (Dec 29)
- Re: malformed sql queries Francois Scala (Dec 30)
- <Possible follow-ups>
- Re: malformed sql queries Peter Gutmann (Dec 29)
- Re: malformed sql queries JayBonci (Dec 29)
- Re: malformed sql queries Peter Gutmann (Dec 29)
- Re: malformed sql queries Blue Boar (Dec 29)
- Re: malformed sql queries Kevin Hegg (Dec 31)