You've still got issues e.g. arguments.tablename = "sysobjects".
Essentially, you're still hoping you've thought of everything that can
be done.
An idea might be:
<cfset allowedtables = "file,image">
<cffif not listfindnocase(allowedtables,arguments.table)>
<cfabort>
</cfif>
This way, you are explicitly denying everything except what you know is
okay.
Richard Cooper wrote:
> Hi Tom,
>
> Do you think something like this would make it safe from SQL attack:
>
> <cfset tableOK = REFindNoCase("[^A-Za-z-_]+", ARGUMENT.tablename, 1,"TRUE")>
> <cfif (tableOK.pos[1] NEQ 1) OR (tableOK.len[1] and len(ARGUMENT.tablename))>
> <cfabort>
>
> <cfelse>
> <cfquery>
> UPDATE #ARGUMENTS.tablename#
> .....
>
> </cfif>
>
>
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting,
up-to-date ColdFusion information by your peers, delivered to your door four
times a year.
http://www.fusionauthority.com/quarterly
Archive:
http://www.houseoffusion.com/cf_lists/message.cfm/forumid:4/messageid:245675
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
