That's correct. :) Dave
-----Original Message----- From: Larry Schaberg [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 28, 2008 10:00 AM To: cf-newbie Subject: Re: Question on cfqueryparam CFMX7 and HEX Ok... so even if its in HEX format, it still will not get executed? That's good to know. So I do not have to do an if statement anymore the cfqp will result in the hex not being executed. Thanks, Larry >No it won't. The value of a cfqp doesn't get executed unless you >specifically execute it in your SQL: > ><cfquery> > EXEC(<cfqueryparam value="Dodgy SQL">) ></cfquery> > >Adrian >Build a database of ColdFusion errors at http://cferror.org/ > >For the last few months, some websites I run as well as some other websites >for companies I use to work for have had sql statements meant to do sql >injection encoded in a hex format and used in the URL paramaters. In the >HEX, if you change it to ASCII Text, you can see the SQL code. The SQL code >contains exec() as well as some other statements. It sounds from what your >saying, that the HEX would be sent to the DB and the code run? My >understanding from talking to my IT director that HEX can be run by the >database if sent to it. I was just trying to find out if the HEX string was >passed into the <cfqueryparam> and the <cfqueryparam> was varchar, would it >then be passed to the database where the string would be run effectively >doing a SQL injection attack? > >Hope I am making sense. > >Thanks, > >Larry ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-newbie/message.cfm/messageid:4092 Subscription: http://www.houseoffusion.com/groups/cf-newbie/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.15
