I have a page up which discusses this http://www.vawter.com/urlhack.cfm
----- Original Message ----- From: "Shawn Grover" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Wednesday, December 19, 2001 9:32 AM Subject: RE: SQL Attacks (was Forms and CF Code) > Don't forget the SQL attacks - similar to the type of attack we've been > discussing, but not addressed thus far. > Something like this: > > <cfquery name="myQuery" datasource="MyDSN"> > Select * > From MyTable > Where SomeField = #Form.SomeField# > </cfquery> > > now if Form.SomeField were "b'; use dbname; drop table tablename; --'" > > then The original query would get executed with 'b' as the filter, but then > standard SQL commands are issued. The "--'" ensures that anything following > this point is treated as a comment. try it out on one of YOUR sites - > except maybe replace the drop table statement with a select or something... > > Protect against this by using stored procedures where possible and/or doing > some sort of filter. The preservesinglequotes might help with this too, not > sure. > > No, I'm not revealing anything new here - I learned the details of this at > the MS PDC conference in LA, and know I've seen reference to the issue on > the list a few times. > > Here's hoping that mentioning it here helps improve some sites. > > Shawn Grover > > -----Original Message----- > > This is bad for multiple reasons. I don't deny that many people do it, > but as a reminder, it's much easier, and quicker, to do: > > <cfset temp = form[field]> > > Furthermore, this is only an issue if you pass a _function_ as you > describe below. > > > > In testing somebodies site I have used this to slow his site > > to a crawl > > by making a custom form with code like: > > <form action=""> > > <input type="text" name="CFUSION_DBCONNECTIONS_FLUSH()"> > > </form> > > Interesting. Good point. This is one more reason why we need to preach > to people to NOT use evaluate to get form fields. I need to go on a > crusade or something. ;) > > ======================================================================= > Raymond Camden, Principal Spectra Compliance Engineer for Macromedia > > Email : [EMAIL PROTECTED] > Yahoo IM : morpheus > > "My ally is the Force, and a powerful ally it is." - Yoda > > ______________________________________________________________________ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
