Yup, that's correct Justin. Just a warning sign though :) I switch my hosting back in 2003, because the system event though it gives me my own SQL user/pass but it actually can see and queries other DB on the same machine (wrong priv). My current hosting, also allows user to query 3-4 other DB, but i think those DB are sample templates (northwind etc) - well hopefully :D
My sites are so far so good. Those SQL i got from the webserver log. I put my own cf_trimvars tag in Application.cfm to translate all passed parameters. It makes sure all inputs are safe and won't be executed as command in SQL server. Rizal ColdFusion Custom Tags And More www.masrizal.com At 08:54 8/8/2008, you wrote: >On SQL Server the sysobjects and syscolumns tables are per-database, so any >script that queries those will only see the tables and such for the database >it's running inside of. This particular attack will stay within the >database being queried and not go outside, so if your site is hit with this >attack it's a sure sign that there is a problem in your code somewhere that >let it in. > >Given that, I have seen SQL injection attacks that will go try to query the >'master' database on SQL Server, look at the sysdatabases table, and then go >crawl through every database it can get access to (and if it can get to >master, it's a good bet it can get to everything else). Those are the >really nasty ones. > >If the hosting company is at all competent, they will have a unique username >and password for each client database (or each client shared among your >databases) which can't access other client databases. Not only does it help >contain SQL injection attacks, it keeps other hosting clients out of your >databases (and you out of theirs). > > >-Justin Scott ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310468 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
