Using information from a Ben Nadel atricle, jsStringFormat( htmlEditFormat())
seems to be catching insertions like b and escaping them.
However, I have tried a number of regex routines from
http://www.symantec.com/connect/articles/detection-sql-injection-and-cross-site-scripting-attacks
plus
-williams.com/blog
Twitter: http://www.twitter.com/austin_williams
-Original Message-
From: Stephens, Larry V [mailto:steph...@iu.edu]
Sent: Friday, August 15, 2014 1:51 PM
To: cf-talk
Subject: protection from sql attacks with regex++
Using information from a Ben Nadel atricle, jsStringFormat
to be catching insertions like b and escaping
them.
However, I have tried a number of regex routines from
http://www.symantec.com/connect/articles/detection-sql-injection-and-cross-site-scripting-attacks
plus another from a CF article that I can't place at the moment, to catch
statements like select
Doing that on everything.
-Original Message-
From: Robert Harrison [mailto:rob...@austin-williams.com]
Sent: Friday, August 15, 2014 1:54 PM
To: cf-talk
Subject: RE: protection from sql attacks with regex++
Uhm... cfqueryparam
Robert Harrison
Director of Interactive Services
Doing that on everything.
If you're parametrizing everything on the queries then what is the concern?
-Justin
~|
Order the Adobe Coldfusion Anthology now!
I do declare that keyword matching alone has issues :-)
Yeah, that can really bite you in the butt!
We've been having pretty good results with the tool that is posted over at my
site. It does a fairly decent job of catching most injection and XSS attacks
and with some recent updates that I
On Friday 15 Jan 2010, Chung Chow wrote:
if ( isdefined(cgi.query_string) and (
findnocase(DECLARE,cgi.query_string) or
I do declare that keyword matching alone has issues :-)
--
Helping to challengingly envisioneer eigth-generation network integrated
turn-key bandwidth as
-Original Message-
From: Al Musella, DPM [mailto:muse...@virtualtrials.com]
Sent: Friday, January 15, 2010 2:44 PM
To: cf-talk
Subject: RE: Recent SQL Injection attacks
For coldfusion, I use Fusionreactor.. I look at the request history,
and you see the templates that were
these attacks? The webserver logs?
~|
Want to reach the ColdFusion community with something they want? Let them know
on the House of Fusion mailing lists
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid
/cffunction
-Original Message-
From: Al Musella, DPM [mailto:muse...@virtualtrials.com]
Sent: Friday, January 15, 2010 2:44 PM
To: cf-talk
Subject: RE: Recent SQL Injection attacks
For coldfusion, I use Fusionreactor.. I look at the request history,
and you see the templates that were
-Original Message-
From: Al Musella, DPM [mailto:muse...@virtualtrials.com]
Sent: Friday, January 15, 2010 2:44 PM
To: cf-talk
Subject: RE: Recent SQL Injection attacks
For coldfusion, I use Fusionreactor.. I look at the request history,
and you see the templates that were
-Original Message-
From: Al Musella, DPM [mailto:muse...@virtualtrials.com]
Sent: Friday, January 15, 2010 2:44 PM
To: cf-talk
Subject: RE: Recent SQL Injection attacks
For coldfusion, I use Fusionreactor.. I look at the request history,
and you see the templates that were
-Original Message-
From: Al Musella, DPM [mailto:muse...@virtualtrials.com]
Sent: Friday, January 15, 2010 2:44 PM
To: cf-talk
Subject: RE: Recent SQL Injection attacks
For coldfusion, I use Fusionreactor.. I look at the request history,
and you see the templates that were
-Original Message-
From: Al Musella, DPM [mailto:muse...@virtualtrials.com]
Sent: Friday, January 15, 2010 2:44 PM
To: cf-talk
Subject: RE: Recent SQL Injection attacks
For coldfusion, I use Fusionreactor.. I look at the request history,
and you see the templates that were
-Original Message-
From: Al Musella, DPM [mailto:muse...@virtualtrials.com]
Sent: Friday, January 15, 2010 2:44 PM
To: cf-talk
Subject: RE: Recent SQL Injection attacks
For coldfusion, I use Fusionreactor.. I look at the request history,
and you see the templates that were
-Original Message-
From: Al Musella, DPM [mailto:muse...@virtualtrials.com]
Sent: Friday, January 15, 2010 2:44 PM
To: cf-talk
Subject: RE: Recent SQL Injection attacks
For coldfusion, I use Fusionreactor.. I look at the request history,
and you see the templates that were
-Original Message-
From: Al Musella, DPM [mailto:muse...@virtualtrials.com]
Sent: Friday, January 15, 2010 2:44 PM
To: cf-talk
Subject: RE: Recent SQL Injection attacks
For coldfusion, I use Fusionreactor.. I look at the request history,
and you see the templates that were
The qpscanner is ok in general but I want something that will only get
me numeric variables that are not in a cfqueryparam.
That is not enough to protect you!
It is not hard to create injection attacks that bypass CF's auto-doubling of
quotes.
qpscanner deliberately errs on the side
, 2010 at 5:43 AM, Peter Boughton bought...@gmail.com wrote:
The qpscanner is ok in general but I want something that will only get
me numeric variables that are not in a cfqueryparam.
That is not enough to protect you!
It is not hard to create injection attacks that bypass CF's auto-doubling
I think there's at least one or two more too. I should really make a
note of them somewhere...
Charlie Arehart's list.
Pretty sure he's got all this listed in a security/similar category.
Yep, here we go:
http://www.carehart.org/cf411/#testing
they
told me I passed:)
My ftp server has also been getting dictionary attacks from
Amsterdam 95.154.246.98.. luckily my ftp sites are set up to allow
only certain ip addresses.
At 08:14 PM 1/12/2010, you wrote:
Didn't know about that IP. Thanks
They got in through some code that was written
How do you guys monitor these attacks? The webserver logs?
-Original Message-
From: Al Musella, DPM [mailto:muse...@virtualtrials.com]
Sent: Wednesday, January 13, 2010 12:34 PM
To: cf-talk
Subject: Re: Recent SQL Injection attacks
I have been getting a lot lately... and had
:
How do you guys monitor these attacks? The webserver logs?
-Original Message-
From: Al Musella, DPM [mailto:muse...@virtualtrials.com]
Sent: Wednesday, January 13, 2010 12:34 PM
To: cf-talk
Subject: Re: Recent SQL Injection attacks
I have been getting a lot lately... and had
cut down the spam/injection attacks.
however the table continues to grow and i think i am losing the battle. anyway
thought this may gorw some ideas...
~|
Want to reach the ColdFusion community with something they want? Let
Fast question. Has anyone seen an injection attack that used a field
other than an integer?
I've written a fast RegEx for use in Homesite (or any other regex
using editor) that will find any query that has numeric 'looking'
variables that are not in a cfqueryparam. While I have to change every
Michael,
Yes... Certain types of installations of MySQL are subject to character
injection attacks.
http://www.coldfusionmuse.com/index.cfm/2008/2/22/sql-injection-on-a-charact
er-field
Mark A. Kruger, CFG, MCSE
(402) 408-3733 ext 105
www.cfwebtools.com
www.coldfusionmuse.com
www.necfug.com
There's a project for that.
I can't remember what it is off-hand, but I'm 100% sure there's a
cfqueryparam-er.cfc out there, which does this.
Maybe this one? : http://qpscanner.riaforge.org/
I think there's at least one or two more too. I should really make a
note of them somewhere...
It
Maybe this one? : http://qpscanner.riaforge.org/
The other main one is
http://www.webapper.com/blog/index.php/2008/7/22/ColdFusion-SQL-Injection
I think a mash up or two might have cropped up in the past year too.
~Brad
The qpscanner is ok in general but I want something that will only get
me numeric variables that are not in a cfqueryparam. The RegEx does
that while putting the results in a single click position for me to
edit immediately. My old cfqueryparam scanner allows for
auto-insertion of cfqueryparam
to character
injection attacks.
http://www.coldfusionmuse.com/index.cfm/2008/2/22/sql-injection-on-a-charact
er-field
~|
Want to reach the ColdFusion community with something they want? Let them know
on the House of Fusion
Has anyone seen any recent SQL injection attacks on their sites or in
the wild? I just cleaned a bunch of JS and other code from a clients
DB. Most of the scripts were running those fake anti-virus popups but
some had other things like lung cancer scams.
Anyone see anything?
Thanks
--
Michael
Yes.
All from ip 91.212.226.161
Which we have blocked at our firewall.
Annoying, but we saw these coming 2 summers ago, and took steps.
On Tue, Jan 12, 2010 at 6:05 PM, Michael Dinowitz
mdino...@houseoffusion.com wrote:
Has anyone seen any recent SQL injection attacks on their sites
injection attacks on their sites or in
the wild? I just cleaned a bunch of JS and other code from a clients
DB. Most of the scripts were running those fake anti-virus popups but
some had other things like lung cancer scams.
Anyone see anything?
Thanks
--
Michael
: Stopping web form spam attacks
John Wilker posted a solution on his Blog... Might be worth looking at as an
alternative.
http://www.johnwilker.com/johnwilker/index.cfm?commentID=361
On 10/4/05, Les Mizzell [EMAIL PROTECTED] wrote:
implement a captcha mechanism?
http://www.alagad.com
John Wilker posted a solution on his Blog... Might be worth looking at as an
alternative.
http://www.johnwilker.com/johnwilker/index.cfm?commentID=361
On 10/4/05, Les Mizzell [EMAIL PROTECTED] wrote:
implement a captcha mechanism?
http://www.alagad.com/index.cfm/name-captcha
Since it puts
I am looking for a way to stop a form on one of
My client's sites from sending him gobs of bogus
Submit emails. I feel some of you have already
Run across this, but this is my first exposure.
Terry
~|
Logware (www.logware.us):
implement a captcha mechanism?
http://www.alagad.com/index.cfm/name-captcha
On 10/4/05, Terry Troxel [EMAIL PROTECTED] wrote:
I am looking for a way to stop a form on one of
My client's sites from sending him gobs of bogus
Submit emails. I feel some of you have already
Run across this, but
implement a captcha mechanism?
http://www.alagad.com/index.cfm/name-captcha
Since it puts identical values into any number of text fields ... I took
the easy way out...
cfif form.FirstName NEQ form.LastName
Process Form
/cfif
Works like a charm
--
---
Les Mizzell
to
this point, I had only really been worried about protection forms from
SQL injection attacks.
OK, so anybody got any best practice ideas to thwart this sort of
thing using CF?
--
---
Les Mizzell
~|
Logware
OK, so anybody got any best practice ideas to thwart this sort of thing
using CF?
Hi Les,
I've been seeing these on and off for a week or so. Apart from doing the
standard stuff such as setting the maxlength in the form fields and then
enforcing those lengths with a function call like so
There was a minor error in my function I posted
Replace IS True with GT 0 :)
Paul
~|
Logware (www.logware.us): a new and convenient web-based time tracking
application. Start tracking and documenting hours spent on a project
Jochem van Dieten wrote:
gabriel l smallman wrote:
would the statement made by rick still hold true though. The
attack would need to be able to close the single quotes to embed an attack.
And how hard is that exactly? Don't go and play 'I know more
about SQL then you do' with a
good article on preventing attacks on your site
www.communitymx.com
[Todays Threads]
[This Message]
[Subscription]
[Fast Unsubscribe]
[User Settings]
[Donations and Support]
Has anyone else seen any of these attacks coming across their servers?
Someone has been scanning several of the sites on our server for:
/nul.cfm and /prn.cfm
Information on the PRN Vulnerability:
http://packetstormsecurity.nl/9906-exploits/windows.prn.flaw.txt
Information on the NUL
Seen a few, not an issue on my linux boxes.
M
-Original Message-
From: Joshua Miller [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, November 26, 2002 1:37 PM
To: CF-Talk
Subject: PRN and NUL.cfm Attacks?
Has anyone else seen any of these attacks coming across their servers?
Someone has
http://netscape.com.com/2100-1105-964057.html?type=pt
==
Peter Tilbrook
Project Officer
Strategic Development
Australian Building Codes Board
GPO Box 9839
CANBERRA ACT 2600
E-Mail: [EMAIL PROTECTED]
Telephone: (02) 6213 6731
Mobile: 0439 401 823
Facsimile: (02) 6213 7287
I remember a couple threads about this topic, however, I never have any
luck with the archives. What approaches have you taken to stop SQL
insertion attacks. Our current thinking is to check for a set of certain
characters (*,',, etc) and make the user removes those characters before
submitting
cfqueryparam is the answer. I have seen the Light!
-Original Message-
From: Casey C Cook [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, October 09, 2002 10:52 AM
To: CF-Talk
Subject: SQL Insertion attacks
I remember a couple threads about this topic, however, I
never have any
-Original Message-
From: Casey C Cook [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, October 09, 2002 10:52 AM
To: CF-Talk
Subject: SQL Insertion attacks
I remember a couple threads about this topic, however, I never have any
luck with the archives. What approaches have you taken to stop SQL
If you don't want to take my word for it, though, here's an article by Uncle
Ben:
http://www.macromedia.com/desdev/articles/ben_forta_faster.html
cfqueryparam is the answer. I have seen the Light!
~|
Archives:
I remember a couple threads about this topic, however, I
never have any luck with the archives. What approaches
have you taken to stop SQL insertion attacks.
As long as you use bind parameters with every SQL statement, you won't have
any problems with SQL injection attacks. If you're
I have been trying to use the UDF below, which I got from
http://www.cflib.org/udf.cfm?ID=612enable=0.
The problem is this UDF will return true whenever a field contains the word
delete, drop, insert etc. Or when it contains a single quote character.
This doesn't really work very well since a
Message-
From: Brook Davies [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 03, 2002 11:54 AM
To: CF-Talk
Subject: SQL Injection Attacks (scrubbers cont.)
I have been trying to use the UDF below, which I got from
http://www.cflib.org/udf.cfm?ID=612enable=0.
The problem is this UDF
Attacks (scrubbers cont.)
I have been trying to use the UDF below, which I got from
http://www.cflib.org/udf.cfm?ID=612enable=0.
The problem is this UDF will return true whenever a field contains the word
delete, drop, insert etc. Or when it contains a single quote character.
This doesn't really work
You can use this really nasty regex that I use to sweep for all sorts of
attacks:
([[:space:]]?/?(script|embed|applet|object|form|layer|ilayer|frame|iframe|f
rameset|param|meta|server)[^]*?)|(;?[[:space:]]*(((alter|create|drop)[[:sp
ace:]]*(database|proc|table|trigger|view|function))|(insert
It seems to me there are two different issues here, that only partially overlap.
1. data is input into a field - say an varchar/ntext/text/memo field - that will be
used to display onto a page. The user could include all sorts of nasties, both simple
and complex. Injected SQL isn't much of a
Subject: SQL Injection Attacks (scrubbers cont.)
It seems to me there are two different issues here, that only partially
overlap.
1. data is input into a field - say an varchar/ntext/text/memo field -
that will be used to display onto a page. The user could include all sorts
of nasties, both
Not everyone has cfqueryparam available we are on CF4 for a
few more months so we're SOL.
But you could therotically still do something like
select *
from blah
where userdata; select * from blah
which would be interprated as a 2nd query. CFQUERY param
might fix that it might come
[EMAIL PROTECTED]
Sent: Tuesday, September 03, 2002 5:00 PM
Subject: RE: SQL Injection Attacks (scrubbers cont.)
Not everyone has cfqueryparam available we are on CF4 for a
few more months so we're SOL.
But you could therotically still do something like
select *
from blah
where
:) thats why i said for places that can not do CFQUERYparam
Sorry, I misunderstood you. D'oh!
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
voice: (202) 797-5496
fax: (202) 797-5444
__
This list and all House of
:09
To: CF-Talk
Subject: security: attacks through submission of script
Hi. I am evaluating the security of my application as regards malicious
attack via manipulation of the Cookie, URL, or Form variables. I know about
the business with submission of unauthorized SQL statements, and have
already
it
comes from your server. Yes, that means one set of validating scripts for
the client before submission and another on the action page to filter
attacks. Slower? A little. Safer? Oh yes!
Javascript is indeed generally safe in and of itself. Most of the egregious
security holes have long since
Not allowing DROP amongst other SQL commands in your datasource setup can
assist also.
-Original Message-
From: Trusz, Andrew [mailto:[EMAIL PROTECTED]]
Sent: Thursday, 27 June 2002 9:12 PM
To: CF-Talk
Subject: RE: security: attacks through submission of script
Since nobody else seems
://www.dixonusa.com
-Original Message-
From: Trusz, Andrew [mailto:[EMAIL PROTECTED]]
Sent: Thursday, June 27, 2002 7:12 AM
To: CF-Talk
Subject: RE: security: attacks through submission of script
Since nobody else seems to have responded, I'll give it a quick pass. Data
from forms needs
Robert Everland wrote:
Or just add this to your application .cfm, allaire released it a while ago.
Works great. The tag is from cfsilent to /cfsilent
cfmodule
template=customTags/inputfilter.cfm
scopes = FORM,COOKIE,URL
chars = ),(,%,,$,*,,,;
tags =
Subject: RE: security: attacks through submission of script
Or just add this to your application .cfm, allaire released it a while
ago. Works great. The tag is from cfsilent to /cfsilent
cfmodule
template=customTags/inputfilter.cfm
scopes = FORM,COOKIE,URL
chars
Yes, that means one set of validating scripts for the client before
submission and another on the action page to filter
attacks. Slower? A little. Safer? Oh yes!
I've done a little of this kind of thing when screwing around with forms
validation, but I would like to know more. Almost all
I've done a little of this kind of thing when screwing
around with forms validation, but I would like to know
more. Almost all of the work I have done up to this point
has been with secure Intranet sites, but now I need to
know about real security (for the big, bad web) beyond
just
Hi. I am evaluating the security of my application as regards malicious
attack via manipulation of the Cookie, URL, or Form variables. I know about
the business with submission of unauthorized SQL statements, and have
already screened for it. But then there is the issue of unauthorized script
Cornillon, Matthieu wrote:
Going on my basic (and hopefully correct)
assumption that JavaScript is set up so that it cannot (a) harm the user's
machine or (b) harm the server, I am not going to worry about this, since
the worst a user will do is pass themselves a JavaScript routine that
One of my favorites is the use of the SQL Server system stored
procedure xp_cmdshell to open a command shell, which can be used to
fetch a file from an attacker's FTP server and run it.
I always knew Dave was a cracker (not hacker!) extraordinaire :-)
Oh, hardly. I didn't discover it
Is CFID and CFTOKEN vulnerable to this if they are stored as
COOKIES and you are using a DB to store client variables?
Since I assume you could easily modify the CFID and CFTOKEN
in your cookie file that browser maintains.
To be honest, I don't really know what the exact SQL is that's
Hi all,
Had some interesting errors in our logs yesterday. It appears that someone's
trying to hack our database by inserting SQL query language into the URL
string.
We're doing all the standard security measures, including filtering for
single quotes, using database passwords, and the like,
Are you using cfqueryparam on all your values too? This is just one
more layer to help out.
Kevin
-Original Message-
From: Ian Lurie [mailto:[EMAIL PROTECTED]]
Sent: Friday, April 12, 2002 10:17 AM
To: CF-Talk
Subject: Preventing SQL injection attacks...?
Hi all,
Had some
..
HTH
Clint
-Original Message-
From: Ian Lurie [mailto:[EMAIL PROTECTED]]
Sent: Friday, April 12, 2002 10:17 AM
To: CF-Talk
Subject: Preventing SQL injection attacks...?
Hi all,
Had some interesting errors in our logs yesterday. It appears that someone's
trying to hack our database
make sure you are at the latest MDAC and have all service
pack applied for SQL. I think that the latest MDAC prevents
attacks like this, but I could be wrong.
No, MDAC does nothing to prevent SQL injection attacks, which, after all,
use perfectly valid SQL statements.
Dave Watts, CTO, Fig
:[EMAIL PROTECTED]]
Sent: Friday, April 12, 2002 8:30 AM
To: CF-Talk
Subject: RE: Preventing SQL injection attacks...?
make sure you are at the latest MDAC and have all service
pack applied for SQL. I think that the latest MDAC prevents
attacks like this, but I could be wrong.
No, MDAC does
-
From: Dave Watts [mailto:[EMAIL PROTECTED]]
Sent: Friday, April 12, 2002 10:30 AM
To: CF-Talk
Subject: RE: Preventing SQL injection attacks...?
make sure you are at the latest MDAC and have all service
pack applied for SQL. I think that the latest MDAC prevents
attacks like this, but I could
PROTECTED]]
Sent: Friday, April 12, 2002 10:36 AM
To: CF-Talk
Subject: RE: Preventing SQL injection attacks...?
Dave,
Could you show me an example of an SQL injection attack? I want to test
my app
to see what I need to do to protect against this.
Thanks,
Brian Yager
President - North AL Cold
: Preventing SQL injection attacks...?
There was a real good white paper from NGSSoftware. It's called Advanced
SQL Injection and can be found near the bottom of this page.
http://www.nextgenss.com/research.html#papers
Frightening...
Jeff Garza
Lead Developer/Webmaster
Spectrum Astro, Inc
[mailto:[EMAIL PROTECTED]]
Sent: Friday, April 12, 2002 10:40 AM
To: CF-Talk
Subject: RE: Preventing SQL injection attacks...?
Had some interesting errors in our logs yesterday. It
appears that someone's trying to hack our database by
inserting SQL query language into the URL string.
We're
This is probably the biggest security problem with web applications. It
boils down to securing and validating your input. Most of these attacks
are successful only when you're evaluating a number - since a string
won't execute SQL, but only evaluate it as a string input. So if you're
expecting
stored procedures are your friends.
they enforce strict datatypes.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: 12 April 2002 17:11
To: CF-Talk
Subject: RE: Preventing SQL injection attacks...?
This is probably the biggest security problem
won't execute SQL, but only evaluate it as a string input. So if you're
expecting numbers, then validate, using isNumeric() or CFQueryParam.
Or if you know a value must be numeric, wrap a val() around it. That will
knock any text strings down to 0 and prevent an SQL error from being thrown,
:[EMAIL PROTECTED]]
Sent: Friday, April 12, 2002 12:36 PM
To: CF-Talk
Subject: RE: Preventing SQL injection attacks...?
Could you show me an example of an SQL injection attack? I
want to test my app to see what I need to do to protect
against this.
All of these sorts of attacks rely
There is a custom tag... cf_formfilter on the developers exchange that I've been
using... It searches the caller.form.fieldnames structure looking for all sorts of
nasty includes.
After just reading it again I think I can also make it filter url submitted input as
well.
Anyone here use or
, April 12, 2002 12:01 PM
To: CF-Talk
Subject: RE: Preventing SQL injection attacks...?
Let's say your query is:
Select productName from products where productID = #url.productid#
If the url is page.cfm?productid=2 then your db sees
Select productName from products where productID = 2
[EMAIL PROTECTED] wrote:
you can't forget that form fields also play a part in this. after reading
the informaiton provided in jeff's link, it did shine a light. although i
have been taught from the beginning to always use val() around numberic
values (thank Adam) and to use regex to validate
: Preventing SQL injection attacks...?
won't execute SQL, but only evaluate it as a string input. So if you're
expecting numbers, then validate, using isNumeric() or CFQueryParam.
Or if you know a value must be numeric, wrap a val() around it. That will
knock any text strings down to 0 and prevent
, April 12, 2002 1:37 PM
To: CF-Talk
Subject: Re: Preventing SQL injection attacks...?
cfparam type=date|numeric|string|boolean|UUID|... can be used for
validating almost anything. It's an underused function.
Sharon DiOrio
- Original Message -
From: Justin Scott [EMAIL PROTECTED]
To: CF
the equivalent SQL statement of:
select * from table where id = '12;drop table yourtable'
- Original Message -
From: [EMAIL PROTECTED]
Date: Friday, April 12, 2002 11:00 am
Subject: RE: Preventing SQL injection attacks...?
let's say you have a text field that is 100 characters long. you
injection attacks...?
Could you show me an example of an SQL injection attack? I
want to test my app to see what I need to do to protect
against this.
All of these sorts of attacks rely on tampering with form or URL data to add
SQL statements directly to that data, on the assumption
No. That would end up the URL scope:
url.session.password
- Original Message -
From: Yager, Brian T Contractor/NCCIM [EMAIL PROTECTED]
Date: Friday, April 12, 2002 11:55 am
Subject: FW: Preventing SQL injection attacks...?
Sorry Dave...Didn't mean to send that just to you...My
... I better go test that to be sure grins
Shawn Grover
-Original Message-
From: Brian Scandale [mailto:[EMAIL PROTECTED]]
Sent: Friday, April 12, 2002 10:53 AM
To: CF-Talk
Subject: Re: Preventing SQL injection attacks...?
There is a custom tag... cf_formfilter on the developers
-321-4703
[EMAIL PROTECTED]
http://www.sheriff.org
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Friday, April 12, 2002 1:45 PM
To: CF-Talk
Subject: Re: RE: Preventing SQL injection attacks...?
cfqueryparam does in fact prevent that code from running
11:17 AM
To: CF-Talk
Subject: Preventing SQL injection attacks...?
Hi all,
Had some interesting errors in our logs yesterday. It appears that someone's
trying to hack our database by inserting SQL query language into the URL
string.
We're doing all the standard security measures, including
What if you added a replace statement, doubling up on all single quotes?...
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Friday, April 12, 2002 10:47 AM
To: CF-Talk
Subject: RE: RE: Preventing SQL injection attacks...?
still. if i had the value
tony
#
cfsqltype=CF_SQL_VARCHAR
It would create the equivalent SQL statement of:
select * from table where id = '12;drop table yourtable'
- Original Message -
From: [EMAIL PROTECTED]
Date: Friday, April 12, 2002 11:00 am
Subject: RE: Preventing SQL injection attacks...?
let's say you have
No, it won't.
It'll produce the SQL equivalent of:
select * from mytable where username = 'tony ''drop table tablename --'
- Original Message -
From: [EMAIL PROTECTED]
Date: Friday, April 12, 2002 11:46 am
Subject: RE: RE: Preventing SQL injection attacks...?
still. if i had
, 2002 2:03 pm
Subject: RE: RE: RE: Preventing SQL injection attacks...?
i will have to take your word for it since i have probably never
use cfquery
param, nor intend to. i personally always use stored procedures
and i do all
of my validation myself. if cfqueryparam works for you, then use
1 - 100 of 137 matches
Mail list logo