I noticed since I started securing the site also with tha cfif EXEC, I have lower hits with the code, 3 days ago and more I got hit like an every hour, these past 2 days I got 2 hits a day to the exact same page with exact same variables in url....
On Thu, Jul 24, 2008 at 3:05 PM, Radek Valachovic <[EMAIL PROTECTED]> wrote: > Great, yes understand, basically it runs another script against database so > it assumes that it is not part of the user_id. good thanks. > > > On Thu, Jul 24, 2008 at 3:05 PM, Dave Watts <[EMAIL PROTECTED]> wrote: > >> > How can it be processed when USER_ID in database is >> > specified for LENGHT 15 and USER_ID with Hacker code has >> > lenght like 100? >> >> For the purpose of preventing SQL injection, the length of the field in >> your >> prepared statement doesn't matter. It is enough for it to be a prepared >> statement, which you build in CF using CFQUERYPARAM. Without it, the >> database has no idea which parts of the query are supposed to be >> executable >> SQL, and which parts are supposed to be data. >> >> In a successful SQL injection attack, the value that's injected would be >> more than just your USER_ID value; it would also contain executable SQL >> code, and your database would simply execute the code; it would not assume >> that this code is supposed to be part of your USER_ID value. >> >> Dave Watts, CTO, Fig Leaf Software >> http://www.figleaf.com/ >> >> Fig Leaf Software provides the highest caliber vendor-authorized >> instruction at our training centers in Washington DC, Atlanta, >> Chicago, Baltimore, Northern Virginia, or on-site at your location. >> Visit http://training.figleaf.com/ for more information! >> >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309669 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
