> if you're using SQL server 7 you should _always_ use Val() in
> CFQUERY tags when expecting an integer because if your CFQUERY
> says:
>
> SELECT foo
> FROM bar
> WHERE id=#url.id#
>
> and someone changes the URL from:
> www.mysite.com/qwe.cfm?id=1
> to
> www.mysite.com/qwe.cfm?id=1;delete%20from%20bar
> then what gets thrown to the dB is:
>
> SELECT foo
> FROM bar
> WHERE id=1;delete from bar
>
> and sql server 7 treats this as 2 valid sql statements and runs
> it....
>
> You should write:
>
> SELECT foo
> FROM bar
> WHERE id=#Val(url.id)#
To carry this one step further, you should always filter all input from the
browser to ensure it contains just the things you want to allow it to
contain - URL parameters, form fields, and CGI data. Security within web
application code tends to be weak to nonexistent.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
voice: (202) 797-5496
fax: (202) 797-5444
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
