14-08-2008, 10:40 PM
Dave Wrote:As for the /name thing I think it checks if the account is online before it cleans the string of "bad" characters.
As for the admin = 5 thing,
If you write "Name = " and let the person specifiy what comes after that... they can make it say, "Dave & VBNewLine & Access = 5"
Then the file will look like this:
Name = Dave
Access = 5
See the problem?
SQL injections are similar.
Can't you just check to see if "VbNewLine" is in the textbox?