john suppressed wrote: > I do see > from the docs, that I can set a hidden field of a SQL query. Is that not > insecure. I relize that SAFE prevents someone from doing a delete or > update. But why could someone not do a "select * from userdb" or even > worse "select username as sku,password as comment from ..." that would > fill the search page with the passwords. > > Does anyone see a way around this, is this a bug? > If you can make that happen then it's a security bug. :-) In theory, tables listed in the NoSearch list (userdb by default) should be trapped. Please let me know off-list if (and how) you manage to get a password list from a URI-based search and I'll get right on it. -- _/ _/ _/_/_/_/ _/ _/ _/_/_/ _/ _/ _/_/_/ _/_/ _/ _/ _/ _/_/ _/ K e v i n W a l s h _/ _/ _/ _/ _/ _/ _/ _/_/ suppressed _/ _/ _/_/_/_/ _/ _/_/_/ _/ _/ _______________________________________________ interchange-users mailing list suppressed http://www.icdevgroup.org/mailman/listinfo/interchange-users
Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.