So without starting a “How to hack a website” thread, I have a question.
I’m working on this project where users upload excel files, asp reads the tabs if there is data we give them a drop down menu to choose which tab they want to use bla bla bla.
All works fine and well. However we don’t have any control over what they are naming their tabs. I’m concerned through naming their tabs they may be able to do things we don’t want them to do.
My SQL is string looks like this:
sql_string = sql_string & "SELECT * FROM ["&sqlCommandArray(k)&"]" & ","
Then I do a split, etc and eventually execute. What characters should I be concerned with, that can potentially do some damage?
Thanks is advance.
