Jeff, Assume the big bad user put a ' after your (value).
SELECT * FROM table1 WHERE field1 = 'some value';DELETE FROM table2 WHERE 1 = 1 --' I don't think any of the examples posted yet explicitly had it in there, but give it a try, crackers will. cfqueryparam, t On Wed, 02 Feb 2005 13:28:15 -0800, Jeff Congdon <[EMAIL PROTECTED]> wrote: > Adam, first off - I agree with you entirely, one should not be playing > this game. I don't post in an attempt to convince the original poster > to not use queryparam, only as a response to what I saw to be an > incorrect answer. > > With that in mind, I still cannot get it to work. > > "select * from (table) where (field) = '(value);DELETE from (table2) > where 1 = 1 --'" > > I tried this in both query analyzer and a CF page, and if the (value) > field is a string it tries to find a value with the entire string > specified. If the (value) field is int, it fails trying to convert hate > sql statement to int. In neither case does this actually remove > anything -- the embedded/injected sql is not being executed. > > -jc > > If the quoted value is an int, it will fail > Adam Haskell wrote: > > >you missed the -- at the end....that comments anything trailing on > >that line...like the ending single quote. i am going to echo quite a > >few people don't play the game with a hacker, hackers are always half > >a step ahead and if they fall behind they will find a way to get > >ahead... > > > >Adam H > >On Tue, 01 Feb 2005 16:15:59 -0800, Jeff Congdon <[EMAIL PROTECTED]> wrote: > > > > > >>which would say '(value);DROP * FROM tableName where 1 = 1' > >> > >>... which would be harmless. at least by sql server, it would be > >>treated as one long string to insert/update/whatever. > >> > >>-jc > >> > >>Michael T. Tangorre wrote: > >> > >> > >> > >>>>Strings are within single quotes. Can you tamper with '#url.emp_id#' > >>>>if emp_id is text?? > >>>> > >>>> > >>>> > >>>> > >>>; DROP * FROM TableName WHERE 1=1 -- > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >> > >> > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:192818 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
