gabriel l smallman wrote:
>
>>>Realistically, coldfusion automatically escapes any single quotes
>
> But if im not mistaken(easily could be) someone might not need to be able to
> stuff in single quotes to tamper? I think they need the semi colon and
> parens to insert a sub query to blow something up
>
> ;(drop table users) or something of the sort?
If your query doesn't already have the single quotes... that's an issue,
like this:
<cfquery ..>
select * from emp where emp_id=#url.emp_id#
</cfquery>
That would certainly be bad...
Then you could pass "?emp_id=;drop table emp" (with the appropriate url
encoding.
But for strings...
<cfquery ...>
select * from products where title like '%#url.criteria#%'
</cfquery>
It's not really a problem because like I said, coldfusion automatically
escapes single quotes within variables inside cfquery. So even if you
passed a value like '; drop table products
the resulting query would be:
select * from products where title like '%''; drop table products'
And that's not dangerous.
That being said.. I've never had a problem with <cfquery> using cached
attributes.. it doesn't cache the attributes, the database caches the
query without the attributes so it doesn't have to recompile the query
everytime.. so coldfusion is passing the parameters in every time.
- Rick
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Logware (www.logware.us): a new and convenient web-based time tracking
application. Start tracking and documenting hours spent on a project or with a
client with Logware today. Try it for free with a 15 day trial account.
http://www.houseoffusion.com/banners/view.cfm?bannerid=67
Message: http://www.houseoffusion.com/lists.cfm/link=i:4:192549
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
