Wow, wow, very interesting! On Thu, 20 Jul 2000, Sean G Richards wrote:
<form action="search_result" method="get"> <h2><dtml-var document_title></h2> <input name="select_statment" value="select * from courses_description "> <input name="where_statement" value=" where subject = 'ee'"> <input type="SUBMIT" name="SUBMIT" value="Submit Query"> </td></tr> </table> </form>
Plese send me the real URL of the form ASAP. I will download the page, replace "select *" with "DELET FROM" and submit the form! Never saw nicer security hole! :) Oleg. (All opinions are mine and not of my employer) ---- Oleg Broytmann Foundation for Effective Policies phd@phd.russ.ru Programmers don't die, they just GOSUB without RETURN.