Where x is numeric... which can be fixed by using a lot of other things other then cfqueryparam, such as
> Select * from table > Where x = #Val(form.value)# Or <cfparam name="form.value" type="numeric"> Or <cfargument name="value" type="numeric"> If you're using it in a cffunction. I still don't see a reason that we NEED to use cfqueryparam for security. Russ > -----Original Message----- > From: Snake [mailto:[EMAIL PROTECTED] > Sent: Tuesday, August 22, 2006 8:13 PM > To: CF-Talk > Subject: RE: coldfusion sql injection > > Select * from table > Where x = #form.value# > > And form.value = (delete from table) > > -----Original Message----- > From: Russ [mailto:[EMAIL PROTECTED] > Sent: 22 August 2006 23:57 > To: CF-Talk > Subject: RE: coldfusion sql injection > > That's the thing... When is cfqueryparam REALLY necessary for security? I > want to see some examples that require cfqueryparam. > > Russ > > > -----Original Message----- > > From: Jeff Guillaume [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, August 22, 2006 6:53 PM > > To: CF-Talk > > Subject: Re: coldfusion sql injection > > > > I just make sure I always scrub user-entered data when possible, but > > at the very least you should use <cfqueryparam> to pass data into > queries. > > > > --- > > Jeff Guillaume > > Kazoomis > > www.kazoomis.com > > > > >Now, it is my belief that CF auto escapes single quotes, so sql > > >injection into a string is not possible. I believe it's still > > >possible if you have > > a > > >number, but pass in a string, but that can be defeated by using VAL. > > > > > > > > > > > >Someone pointed me to an article from 2 years ago that describes how > > >to > > do > > >sql injection with CF: > > >http://coldfusion.sys-con.com/read/46358.htm?CFID=472470 > > ><http://coldfusion.sys- > > con.com/read/46358.htm?CFID=472470&CFTOKEN=B2D822C3-1 > > >3E7-B7E0-0702115FF33798C6> &CFTOKEN=B2D822C3-13E7-B7E0-0702115FF33798 > > >3E7-B7E0-0702115FF33798C6> C6 > > > > > > > > > > > >I couldn't get the example in there to work. > > > > > > > > > > > >Other then putting in an injection string into a numeric argument, > > >are > > there > > >any other examples of doing SQL injection with ColdFusion? > > > > > > > > > > > >Russ > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:250684 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
