> Hmm, that's interesting. That's what we're using, and I've > never been able to get a sql injection attack to work on it. > > Can someone provide a simple example of how cfquery is > vulnerable, so that we all know what kinds of things to watch out for?
I'm not aware of any vulnerabilities with CF's escaping of single quotes and SQL Server 2000. That said, that doesn't mean there aren't any. All that has to happen is for CF to interpret a character sequence as something other than a string delimiter, and for SQL Server to interpret the same character sequence as a string delimiter. I would probably check out Unicode character sequences for this, if I were a penetration tester. The point of using CFQUERYPARAM to secure database access is to prevent anything like this from happening. By building a prepared statement, you prevent the execution of anything in your values as code; the database will only treat it as data, no matter what it contains. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297383 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
