Re: Is

Mon, 22 Jan 2007 18:29:05 -0800 

Two things should never be underestimated:

1) A hacker's ability to break things

2) A developer's capacity for bad code

This demonstrates a particularly badly written login scheme I just
concocted, using QoQ (the QueryNew() is there so you can run this
without having to mess with a DB). PreserveSingleQuotes() has been
wrapped around the password because the hypothetical developer wants
people to be able to use quotes in their password:

<cfsilent>
        <cfset myQuery = QueryNew("username,password")>
        <cfset QueryAddRow(myQuery)>
        <cfset myQuery["username"][1] = "SomeUser">
        <cfset myQuery["password"][1] = "1234abcd">
        <!--- this would have come from a form post or similar --->
        <cfset FORMUsername = "SomeUser">
        <cfset FORMpassword = "a' or 1=1 or 'a' = '">
        <cfquery dbtype="query" name="qCheckLogin" result="MyResult">
                SELECT *
                  FROM myQuery
                 WHERE username = '#FORMUsername#'
                   AND password  = '#PreserveSingleQuotes(FORMpassword)#'
        </cfquery>
        </cfquery>
</cfsilent>

<cfoutput>
<p>Rows: #qCheckLogin.RecordCount#</p>
#MyResult.SQL#
</cfoutput>

Try it on CF7; the row count is 1, meaning that a successful login was
achieved. Now try wrapping cfqueryparam around the variables in the
query - the rowcount is 0, whether or not you keep the
PreserveSingleQuotes() in there or not (and the SQL output shows bind
params).

So, on CF7, cfqueryparam does prevent some kinds of SQL injection in
QoQ in a meaningful way.

On 1/23/07, Mary Jo Sminkey <[EMAIL PROTECTED]> wrote:
> >No, query-of-query functionality doesn't support bind parameters in any
> >meaningful way, as far as I can tell. There's no actual database there, if
> >you know what I mean. Likewise, there's no likelihood of SQL injection
> >attacks succeeding, without an actual database to execute those attacks.
>
> Okay, thanks Dave. That was my assumption, but wanted to be sure I wasn't 
> assuming incorrectly. ;-)
>
> And yes, I realized after I wrote it that the SQL injection was a moot point.


-- 
CFAJAX docs and other useful articles:
http://www.bifrost.com.au/blog/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Upgrade to Adobe ColdFusion MX7 
Experience Flex 2 & MX7 integration & create powerful cross-platform RIAs 
http:http://ad.doubleclick.net/clk;56760587;14748456;a?http://www.adobe.com/products/coldfusion/flex2/?sdid=LVNU

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:267242
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

Reply via email to