Welcome To The Home Of The Visual FoxPro Experts  
home. signup. forum. archives. search. google. articles. downloads. faq. members. weblogs. file info. rss.
 From: Eric den Doop
  Where is Eric den Doop?
 Houten
 Netherlands
 Eric den Doop
 To: Borislav Borissov
  Where is Borislav Borissov?
 Sofia
 Bulgaria
 Borislav Borissov
 Tags
Subject: RE: Is SEARCH working?
Thread ID: 189352 Message ID: 189406 # Views: 1 # Ratings: 0
Version: Not Applicable Category: Foxite: feedback
Date: Thursday, August 14, 2008 7:36:45 PM         
   


> >
> > yes, and many others too.
> >
> > What these guys do is they send a request to the search engine (for example rubinov), followed by an sql injection script which will always fail on my system anyway.
> >
> > But since their requests come in many times per minute, they are taking resources away because the search request for rubinov is still executed. Until I know a good way to protect the site against these losers, the keywords are blocked.
> > --
> > Eric den Doop
> > www.foxite.com - The Home Of The Visual FoxPro Experts
>
> Why not refuse the whole query if injection attack is involved in query?

Sure, that would be the best solution, but the current implementation doesn't work that way. It strips out any unwanted (unnamed) parameters (the sql injection) and then continues with the other parameters. The reason for this is backwards compatibility with old links and human errors (typo's).
--
Eric den Doop
www.foxite.com - The Home Of The Visual FoxPro Experts

ENTIRE THREAD

Is SEARCH working? Posted by Yuri Rubinov @ 8/14/2008 2:39:25 PM
RE: Is SEARCH working? Posted by Eric den Doop @ 8/14/2008 4:14:08 PM
RE: Is SEARCH working? Posted by Yuri Rubinov @ 8/14/2008 5:05:24 PM
RE: Is SEARCH working? Posted by Borislav Borissov @ 8/14/2008 5:17:33 PM
RE: Is SEARCH working? Posted by Eric den Doop @ 8/14/2008 6:04:20 PM
RE: Is SEARCH working? Posted by Borislav Borissov @ 8/14/2008 6:15:22 PM
RE: Is SEARCH working? Posted by Eric den Doop @ 8/14/2008 7:36:45 PM
RE: Is SEARCH working? Posted by Borislav Borissov @ 8/14/2008 8:45:01 PM
RE: Is SEARCH working? Posted by Eric den Doop @ 8/14/2008 9:41:43 PM