Nomoa.com

Paving the way for .NET in Tonga

Low No Cost Tech

Categories
Main Menu
Dot This
Subscribe to Our RSS Feed Subscribe to Comments Feed Signup for MSN Alerts to Nomoa.com: Articles Signup for Yahoo Alerts to Nomoa.com :: News Articles
Get RSSOwl
Google Ads
Mind Dumps Go Here + Low ~ No Cost Technology 4 Productivity
Browse in : All > Soap Box
All > Soap Box > Low No Cost Tech
Any of these categories - All of these categories

Centrelink Web form filtering error

Soap Box
Posted by: Samiuela LV Taufa on March 04, 2008 5:51:57 PM

www.centrelink.gov.au

Looks like one of the fields in the centrelink claim forms doesn't filter input correctly.

I try putting in 'Ofa for my wife's fist name, and I get errors messages for some other part of the form until I get rid of that leading single-quote. That's so 1990's!!!

Imagine if I had no idea about database query problems and use of quotes and single-quotes (read: that would mean I would be for ever confused about why I can't fill the form in). Or worse yet, what would happen if I was malicious and tried to wipe the database back-end with some sad query 'DROP DATABASE *'

It doesn't help that the website doesn't respond to centrelink.gov.au. Ahhhhhh, the joys of being online.

When developing websites, it is very important to validate or verify that data entered in forms by users do not have the potential of corrupting your database. One of the standard things to check for is/are the use of quotes in text fields (for example, names are entered onto a web form through "text-fields.")

Quotes, in and of themselves are valid input for text-fields, but they present a certain danger for the engines managing most websites since the text-fields are usually used within an SQL Query and Quotes have special meaning within an SQL Query.

This class of security problems are called: SQL Injections

SQL Injection: What is it?

SQL Injection is one of the many web attack mechanisms used by hackers to steal data from organizations. It is perhaps one of the most common application layer attack techniques used today. It is the type of attack that takes advantage of improper coding of your web applications that allows hacker to inject SQL commands into say a login form to allow them to gain access to the data held within your database.

In essence, SQL Injection arises because the fields available for user input allow SQL statements to pass through and query the database directly.

print view
Next >  
< Previous  
PermaLink

There are no comments attached to this item.

Ratings
Options :
View Article Map
Log In to Contribute
View Archives