I posted one earlier. Replace a numeric value that is sent via form or URL with some SQL and the SQL will execute.
Snake -----Original Message----- From: Russ [mailto:[EMAIL PROTECTED] Sent: 23 August 2006 19:16 To: CF-Talk Subject: RE: coldfusion sql injection So there's the question. Can someone provide an example of a working sql injection attack? > -----Original Message----- > From: Jochem van Dieten [mailto:[EMAIL PROTECTED] > Sent: Wednesday, August 23, 2006 2:05 PM > To: CF-Talk > Subject: Re: coldfusion sql injection > > Russ wrote: > > The string is also autoescaped even if you don't use cfqueryparam... > > at least on SQL server. Is it not with other DB systems? > > It is. But that is not enough. > > Jochem > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:250776 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
