> <shrug> > I'm sure ASP has a feature like CFs cfQueryParam that would have prevented > this.
It's worse than not sanitizing the data though -- the programmer hard coded the SQL query as an url variable, so you could see all the column names without even having to guess them, just by mousing over a link. That's what's so astonishing about it. The query itself must have been empty and getting its information from the url variable, so you could put anything in the url variable and it would work. It would be like doing this: <cfquery datasource="#mysensitivedata#"> #url.whatever# </cfquery> -- Josh ----- Original Message ----- From: "Tom Chiverton" <[EMAIL PROTECTED]> To: "CF-Talk" <[email protected]> Sent: Wednesday, April 16, 2008 7:23 AM Subject: Re: Oklahoma Leaks Tens of Thousands of SSN's > On Wednesday 16 Apr 2008, Russ wrote: >> This was done in ASP, but seeing as CF is being used a lot in government >> contracting, I hope nobody here is stupid enough to code something like >> that. > > <shrug> > I'm sure ASP has a feature like CFs cfQueryParam that would have prevented > this. > > "There is no such thing as a bad language, only bad coding". > > -- > Tom Chiverton > Helping to autoschediastically maximize network e-business > on: http://thefalken.livejournal.com > > **************************************************** > > This email is sent for and on behalf of Halliwells LLP. > > Halliwells LLP is a limited liability partnership registered in England > and Wales under registered number OC307980 whose registered office address > is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 > 3EB. A list of members is available for inspection at the registered > office. Any reference to a partner in relation to Halliwells LLP means a > member of Halliwells LLP. Regulated by The Solicitors Regulation > Authority. > > CONFIDENTIALITY > > This email is intended only for the use of the addressee named above and > may be confidential or legally privileged. If you are not the addressee > you must not read it and must not use any information contained in nor > copy it nor inform any person other than Halliwells LLP or the addressee > of its existence or contents. If you have received this email in error > please delete it and notify Halliwells LLP IT Department on 0870 365 2500. > > For more information about Halliwells LLP visit www.halliwells.com. > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;192386516;25150098;k Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:303568 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
