Jochem's example will wind up with all the DROP TABLE junk in the text
field.
If you try that against a numeric field, then you wind up with invalid
SQL which will throw an error.
Besides, shouldn't there be some data validation before you get to the
stage of running the query????? Or am I just weird?
Stephen
Steve Nelson wrote:
> Yeah, but CF will double up those quotes automatically. At least I thought
> it did.
>
> Steve
> -----Original Message-----
> From: Jochem van Dieten [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, March 24, 2004 3:34 AM
> To: CF-Talk
> Subject: RE: why are procedures better? (was: RE: Securing CF Apps.)
>
> This type of coding can be insecure. Just imagine what would happen in
> Oracle, MySQL or any other database that use C-style escaping when
> combined with:
> <cfset url.user_id = "h4ck3r\'; DROP TABLE users; COMMIT; --">
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
