That's the thing... When is cfqueryparam REALLY necessary for security? I want to see some examples that require cfqueryparam.
Russ > -----Original Message----- > From: Jeff Guillaume [mailto:[EMAIL PROTECTED] > Sent: Tuesday, August 22, 2006 6:53 PM > To: CF-Talk > Subject: Re: coldfusion sql injection > > I just make sure I always scrub user-entered data when possible, but at > the very least you should use <cfqueryparam> to pass data into queries. > > --- > Jeff Guillaume > Kazoomis > www.kazoomis.com > > >Now, it is my belief that CF auto escapes single quotes, so sql injection > >into a string is not possible. I believe it's still possible if you have > a > >number, but pass in a string, but that can be defeated by using VAL. > > > > > > > >Someone pointed me to an article from 2 years ago that describes how to > do > >sql injection with CF: > >http://coldfusion.sys-con.com/read/46358.htm?CFID=472470 > ><http://coldfusion.sys- > con.com/read/46358.htm?CFID=472470&CFTOKEN=B2D822C3-1 > >3E7-B7E0-0702115FF33798C6> &CFTOKEN=B2D822C3-13E7-B7E0-0702115FF33798C6 > > > > > > > >I couldn't get the example in there to work. > > > > > > > >Other then putting in an injection string into a numeric argument, are > there > >any other examples of doing SQL injection with ColdFusion? > > > > > > > >Russ > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:250676 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
