Pete Freitag had an amazing session at CFUinted about things like this. It's amazing what can be done using the query string.
-----Original Message----- From: Peterson, Chris [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 08, 2007 2:17 PM To: CF-Talk Subject: RE: cfquery: quotes vs queryparam Are you kidding??? I just replace form.lastname with: " test'; DROP TABLE table; " Poof, your data'z are gone Or, if you really wanna get tricky and someone has debugging turned on, or you can guess field / table names: Lets say you have a fName and lName column outputting a list, and I can figure that out Now I replace form.lastname with this: " test'; SELECT credit_card_num as fName, expireDate as lName FROM creditCards; " Now instead of seeing a firstname / lastname directory, I see a list of all your credit cards in the database =) ALWAYS use cfqueryparam, or clean the crap out of any incoming variables to ensure they are not being exploited. Chris Peterson Gainey IT Adobe Certified Advanced Coldfusion Developer -----Original Message----- From: Rick Schmitty [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 08, 2007 2:57 PM To: CF-Talk Subject: cfquery: quotes vs queryparam Is there anyway for someone to hack a quoted query? <cfquery> select * from table where name='#form.lastname#' </cfquery> vs <cfquery> select * from table where name=<cfqueryparam cfsqltype="cf_sql_varchar" maxlength="255" value="#form.lastname#"/> </cfquery> Seems anything I throw at the quoted query gets escaped correctly... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Create robust enterprise, web RIAs. Upgrade to ColdFusion 8 and integrate with Adobe Flex http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJP Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:285739 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
