Larry, There were a few threads on the cf-talk board relating to the the SQL injection attacks from a few weeks ago. I suggest you search through the archives on 'SQL Injection' and 'cfqueryparam' quite a bit of information about what you are referring to in those threads.
Rob On Tue, Oct 28, 2008 at 10:59 AM, Larry Schaberg <[EMAIL PROTECTED]>wrote: > Ok... so even if its in HEX format, it still will not get executed? That's > good to know. So I do not have to do an if statement anymore the cfqp will > result in the hex not being executed. > > Thanks, > > Larry > > > > >No it won't. The value of a cfqp doesn't get executed unless you > >specifically execute it in your SQL: > > > ><cfquery> > > EXEC(<cfqueryparam value="Dodgy SQL">) > ></cfquery> > > > >Adrian > >Build a database of ColdFusion errors at http://cferror.org/ > > > >For the last few months, some websites I run as well as some other > websites > >for companies I use to work for have had sql statements meant to do sql > >injection encoded in a hex format and used in the URL paramaters. In the > >HEX, if you change it to ASCII Text, you can see the SQL code. The SQL > code > >contains exec() as well as some other statements. It sounds from what > your > >saying, that the HEX would be sent to the DB and the code run? My > >understanding from talking to my IT director that HEX can be run by the > >database if sent to it. I was just trying to find out if the HEX string > was > >passed into the <cfqueryparam> and the <cfqueryparam> was varchar, would > it > >then be passed to the database where the string would be run effectively > >doing a SQL injection attack? > > > >Hope I am making sense. > > > >Thanks, > > > >Larry > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-newbie/message.cfm/messageid:4089 Subscription: http://www.houseoffusion.com/groups/cf-newbie/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.15
