Are you speaking of an SQL server uname and pw? Or some form of login that you implement in your CF code? If it's SQL, then you can set up DB permissions in a very granular way and your risk is less (though not completely gone - if you are allowing update, insert or delete). If not, then you have the issue of raw SQL being passed to the SQL server. Either way, Unless you can be possitive that all the folks who are accessing the script are competent SQL writers - this is a great risk. What happens (for example) when someone puts in "update userTable SET fname = 'Bill' ", but they forget the where clause. Suddenly, all your users or named "Bill" <ha>. Sounds crazy - but do you remember the mistakes you use to make when you first started writing SQL? Or what if they experiment with the "truncate" key word - or "Drop" or "create". The possiblities are endless - and all really scary <g>.
-mk -----Original Message----- From: Tony Weeg [mailto:[EMAIL PROTECTED]] Sent: Sunday, December 02, 2001 10:04 PM To: CF-Talk Subject: RE: shooting my server soon.... even with a username/password protecting it? tony -----Original Message----- From: Mark A. Kruger - CFG [mailto:[EMAIL PROTECTED]] Sent: Monday, December 02, 2002 11:03 PM To: CF-Talk Subject: RE: shooting my server soon.... bingo - if you have a string you are building that includes single quotes, you have to use the "preservesinglequotes( )" function. Otherwise you would get exactly this syntax errror - the query without the function would end up being: update [reports] set password = ' '123xxx456' ' (two sets of single quotes). Tony, I wouldn't do it this way unless you are doing some kind of one-time query - or building some form of on-line query analyzer. The security risk is pretty high. I would at least restrict DML type queries using SQL permissions. -mk -----Original Message----- From: Samuel Neff [mailto:[EMAIL PROTECTED]] Sent: Monday, December 02, 2002 9:48 PM To: CF-Talk Subject: RE: shooting my server soon.... So the entire SQL is inside the form field, including the single quotes? Then you need PreserveSingleQuotes()--and think about the security issue.. > -----Original Message----- > From: Tony Weeg [mailto:[EMAIL PROTECTED]] > Sent: Monday, December 02, 2002 10:44 PM > To: CF-Talk > Subject: RE: shooting my server soon.... > > > ok great, it works when i have this in a page... > > <cfquery name="ex" datasource="cx"> > update [reports] set password = '123xxx456' > </cfquery> > > but not when i send this string from a form field > textarea called sql > > update [reports] set password = '123xxx456' > > > <cfquery name="ex" datasource="cx"> > #form.sql# > </cfquery> > > any idea? > > tony > > -----Original Message----- > From: David Notik [mailto:[EMAIL PROTECTED]] > Sent: Monday, December 02, 2002 10:26 PM > To: CF-Talk > Subject: RE: shooting my server soon.... > > > Try adding a valid WHERE clause and see if the statement works. > > UPDATE Reports SET Password = 'XXXXXX' WHERE ID=1 > > That will at least get you closer to diagnosing the cause. > > Also, be sure your CFQUERY tags have proper < and >. > > --Dave > > ################### > David Notik > Digital202, LLC > Imagination gone digital. > Web: www.digital202.com > E-mail: [EMAIL PROTECTED] > Office: (206) 575-1717 > Mobile: (206) 351-3948 > ################### > > > -----Original Message----- > From: Tony Weeg [mailto:[EMAIL PROTECTED]] > Sent: Monday, December 02, 2002 7:21 PM > To: CF-Talk > Subject: RE: shooting my server soon.... > > ok..... > > update [reports] set password = 'xxxx' > > Message: Error Executing Database Query. > Detail: [Macromedia][SQLServer JDBC Driver][SQLServer]Line 1: > Incorrect syntax near 'xxxx'. > Native Error Code: 170 > SQL State: HY000 > > same error? > > tony > > -----Original Message----- > From: Matthew Walker [mailto:[EMAIL PROTECTED]] > Sent: Monday, December 02, 2002 10:15 PM > To: CF-Talk > Subject: RE: shooting my server soon.... > > > Don't know. One of the secrets of T-SQL I guess. ;-) > > > -----Original Message----- > > From: Tony Weeg [mailto:[EMAIL PROTECTED]] > > Sent: Tuesday, 3 December 2002 4:06 p.m. > > To: CF-Talk > > Subject: RE: shooting my server soon.... > > > > > > but why can i do it fine in select statements? > > > > tony > > > > -----Original Message----- > > From: Matthew Walker [mailto:[EMAIL PROTECTED]] > > Sent: Monday, December 02, 2002 9:59 PM > > To: CF-Talk > > Subject: RE: shooting my server soon.... > > > > > > Reports is a reserved word. Wrap it in [] > > http://aspfaq.com/show.asp?id=2080 > > > > > > > > > -----Original Message----- > > > From: Tony Weeg [mailto:[EMAIL PROTECTED]] > > > Sent: Tuesday, 3 December 2002 3:45 p.m. > > > To: CF-Talk > > > Subject: shooting my server soon.... > > > > > > > > > why? > > > > > > update reports set password = 'xxxx' > > > > > > will not work in my cf code on my cfmx server. > > > > > > i can run the same query in query analyzer, and all is well. > > > > > > any explanation would save my ***king server... > > > > > > thanks > > > > > > ...tony > > > > > > tony weeg > > > [EMAIL PROTECTED] > > > www.revolutionwebdesign.com > > > rEvOlUtIoN wEb DeSiGn > > > 410.334.6331 > > > > > > > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting.
