> What does this do and how do I stop it....? > > and 1=convert(int,system_user)--sp_password > > I recently received an email from some one showing me my ID and > Password of a site I work. They also stated that they could get our > customer information. >
This is a SQL injection technique used to glean information from your server by getting it to throw back errors by trying to convert MS SQL server variables to integers. In the instance you posted you are seeing them gleaning your system user name by trying to convert it to an integer during the comparison to 1. Obviously a character string can't be converted to one, so it throws back an error that 'yoursystemusername' can't be converted to an integer. Now the hacker knows your system username. They can also figure out several other things using this method, such as server name (convert(int, @@servername)), version (convert(int, @@version)), database name (convert(int, db_name())), etc. Further, it might be possible to execute commands depending on the privileges of the user setup for the database connection from ColdFusion. You must not trust any input coming from the client side. Make sure to check all inputs, whether from forms or the url, for datatype. In addition, escape any quotes to prevent sql injection from string fields. CoolJJ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Deploy Web Applications Quickly across the enterprise with ColdFusion MX7 & Flex 2 Free Trial http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:280639 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
