I'm not seeing how your example would do anything other than find zero
records...
Start with:
<cfquery>select from table where lastname = '#form.lastname#'</cfquery>
Use your example:
Form.lastname = " test'; DROP TABLE table; "
So you get (with quote-doubling)
select from table where lastname = ' test''; DROP TABLE table; '
And you will return all records with a last name of " test'; DROP TABLE
table; ".
If what you describe were true then you could never search for the name
"O'Connor".
My take-away is that all ## expanded variables in a query should be
quoted, even values that are "supposed to" always be numbers. Sure,
cfqueryparam is safe and good and all of that, but it isn't like cfquery
without it is necessarily an open door (if you're consistent).
Mark
-----Original Message-----
From: Peterson, Chris [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 08, 2007 3:17 PM
To: CF-Talk
Subject: RE: cfquery: quotes vs queryparam
Are you kidding???
I just replace form.lastname with: " test'; DROP TABLE table; "
Poof, your data'z are gone
Or, if you really wanna get tricky and someone has debugging turned on,
or you can guess field / table names:
Lets say you have a fName and lName column outputting a list, and I can
figure that out
Now I replace form.lastname with this: " test'; SELECT
credit_card_num as fName, expireDate as lName FROM creditCards; "
Now instead of seeing a firstname / lastname directory, I see a list of
all your credit cards in the database =)
ALWAYS use cfqueryparam, or clean the crap out of any incoming variables
to ensure they are not being exploited.
Chris Peterson
Gainey IT
Adobe Certified Advanced Coldfusion Developer
-----Original Message-----
From: Rick Schmitty [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 08, 2007 2:57 PM
To: CF-Talk
Subject: cfquery: quotes vs queryparam
Is there anyway for someone to hack a quoted query?
<cfquery>
select * from table where name='#form.lastname#'
</cfquery>
vs
<cfquery>
select * from table where name=<cfqueryparam cfsqltype="cf_sql_varchar"
maxlength="255" value="#form.lastname#"/> </cfquery>
Seems anything I throw at the quoted query gets escaped correctly...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Get involved in the latest ColdFusion discussions, product
development sharing, and articles on the Adobe Labs wiki.
http://labs/adobe.com/wiki/index.php/ColdFusion_8
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:285743
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
