Say you had Select * from table where field = '#url.var#'
If you simply made url.var: ; DROP * FROM TableName WHERE 1=1 -- You would end up with Select * from table where field = '; DROP * FROM TableName WHERE 1=1 --' No harm dome right? But if you changed it to... ' or 1=1; DROP * FROM TableName WHERE 1=1 -- You might have a problem since it would equate to: Select * from table where field = '' or 1=1; DROP * FROM TableName WHERE 1=1 -- I haven�t actually tested that but the next one is an easy test. Consider a simple login query: Select * from tbl_members where username = '#form.usenmae#' and pword = '#form.pword#' What if the value passed in both username and pword fields were... If the field is text: ' or 'x'='x Or if the field is a number ' or 1=1 Making the query: Select * from tbl_members where username = '' or 'x'='x' and pword = '' or 'x'='x' the first record in the table will be returned and the person would be logged in. I don't know about you but usually, the first record in my user and admin tables is ME! The account with the most privelages! Within the first couple of pages of results in google for "login.asp" The user name and password of: ' or 'x'='x Will allow access to a number of secured sections. I used asp as an example, because it's way too easy to protect against this sort of thing CF. If you log into your CF app with this... shame on you! If you log into your asp app with this... why are you using asp? Don�t hit me, I've written my share of asp too (when forced) and yes it's farley easy to guard against too but what's more simple than a cfqueryparam? -----Original Message----- From: Bud [mailto:[EMAIL PROTECTED] Sent: Sunday, February 06, 2005 7:23 AM To: CF-Talk Subject: RE: Preventing Malicious Sql without cfquery param > > Strings are within single quotes. Can you tamper with '#url.emp_id#' >> if emp_id is text?? > >; DROP * FROM TableName WHERE 1=1 -- If that is within single quotes, why wouldn't SQL read that simply as a string of text? -- Bud Schneehagen - Tropical Web Creations, Inc. _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ Web Based Solutions / eCommerce Development & Hosting http://www.twcreations.com/ - http://www.cf-ezcart.com/ Toll Free: 877.207.6397 - Local & Int'l Phone/Fax: 386.789.0968 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:193228 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
