that actually wouldn't work because coldfusion automatically escapes
single quotes inside strings inside cfquery.
But maybe this:
<cfset NewPassword = "whatever" />
<cfset userid = "1 OR 1=1 --" />
<cfquery ...>
UPDATE users
SET pass = '#NewPassord#'
WHERE userid = '#Userid#'
</cfquery>
But... your point is well made :)
On Mon, Aug 17, 2009 at 9:22 AM, Peter Boughton<[email protected]> wrote:
>
> Not all injection tricks are based upon multi-statement SQL!
>
> Example bad code:
>
> <cfset NewPassword = "whatever" />
> <cfset Username = "bob' OR 1=1 --" />
>
> <cfquery ...>
> UPDATE users
> SET pass = '#NewPassord#'
> WHERE user = '#Username#'
> </cfquery>
>
>
> Using cfqueryparam will avoid this problem.
>
>
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Want to reach the ColdFusion community with something they want? Let them know
on the House of Fusion mailing lists
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:325501
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
