Forum OpenACS Q&A: Response to Stealing Email Addresses -3x

Posted by Don Baccus on
Actually Ben went through our 3.x codebase and added a bunch of "validate integer" calls to block obvious SQL smuggling attacks.

So yes, I guess a good question is to ask whether or not you're validating your query variables in your custom pages, too, or whether or not a standard page is exploitable because it got missed in Ben's sweep.