What function would you use if the UserID contained characters and numbers
such as SPAL12?
Sebastian
on 4/13/01 8:23 AM, Tim Painter at [EMAIL PROTECTED] wrote:
> In your example, where you pass the userID on the line, using Val can
> overcome it.
>
> http://www.mysite.com/doLogin.php?UserID=12345+TRUNCATE+TABLE+Items
>
> <cfquery name="foo" datasource="bar">
> Select * from Users where UserID = #Val(url.UserID)#
> </cfquery>
> ----- Original Message -----
> From: "sebastian palmigiani" <[EMAIL PROTECTED]>
> To: "CF-Talk" <[EMAIL PROTECTED]>
> Sent: Friday, April 13, 2001 8:13 AM
> Subject: Security & Scripting
>
>
>>
>> There is an excellent small article on security vis a vis URL, cookie and
>> form parameters at:
>>
>> http://webreview.com/2001/04_13/developers/index02.shtml
>>
>> My question is what do the members of this list use to prevent malicious
>> attempts to alter or destroy a database by means of the URL form or cookie
>> such as an example given in the article:
>>
>> http://www.mysite.com/doLogin.php?UserID=12345
>>
>> changed to
>>
>> http://www.mysite.com/doLogin.php?UserID=12345+TRUNCATE+TABLE+Items
>>
>> or when someone enters a SQL command in a form text box
>>
>> 12345 TRUNCATE TABLE Items
>>
>> I guess one could do a content check of every submitted variable to detect
>> for SQL statements such as TRUNCATE, DELETE, UPDATE, INSERT, etc.
>>
>> Thanks,
>> Sebastian
>>
>>
>>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
