0.02 Euro in addition to what the others already said:

Rule of thumb: ' is for SQL, " is for Net.Data.

Hackers/Crackers can easily change your SQL by entering ' in your
input fields.

To avoid this, replace

WHERE BWNMID = '$(CGIINP03)'

with

WHERE BWNMID = '@DTW_rADDQUOTE(CGIINP03)'

The same is true for the input fields, those can be "destroyed" by
entering "></body></html>".

<input type="text" name="myvar" value="$(myvar)">

should be

<input type="text" name="myvar" value="@DTW_rHTMLENCODE(myvar)">

Good luck!

-- 
Mit freundlichen Grüssen / best regards

Anton Gombkötö
Organisation und Projektleitung

Avenum Technologie GmbH
Wien - Salzburg - Stuttgart
http://www.avenum.com




As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.