One should use parameterised SQL to get around that For example:
<cfquery name="myQuery" datasource="MyDSN"> Select * >From MyTable Where SomeField = <cfqueryparam cfsqltype="cf_sql_varchar" value="#Form.SomeField#"> </cfquery> > -----Original Message----- > From: Don Vawter [mailto:[EMAIL PROTECTED]] > Sent: 19 December 2001 16:38 > To: CF-Talk > Subject: Re: SQL Attacks (was Forms and CF Code) > > > I have a page up which discusses this > http://www.vawter.com/urlhack.cfm > > ----- Original Message ----- > From: "Shawn Grover" <[EMAIL PROTECTED]> > To: "CF-Talk" <[EMAIL PROTECTED]> > Sent: Wednesday, December 19, 2001 9:32 AM > Subject: RE: SQL Attacks (was Forms and CF Code) > > > > Don't forget the SQL attacks - similar to the type of > attack we've been > > discussing, but not addressed thus far. > > Something like this: > > > > <cfquery name="myQuery" datasource="MyDSN"> > > Select * > > From MyTable > > Where SomeField = #Form.SomeField# > > </cfquery> > > > > now if Form.SomeField were "b'; use dbname; drop table > tablename; --'" > > > > then The original query would get executed with 'b' as the > filter, but > then > > standard SQL commands are issued. The "--'" ensures that anything > following > > this point is treated as a comment. try it out on one of > YOUR sites - > > except maybe replace the drop table statement with a select or > something... > > > > Protect against this by using stored procedures where > possible and/or > doing > > some sort of filter. The preservesinglequotes might help > with this too, > not > > sure. > > > > No, I'm not revealing anything new here - I learned the > details of this at > > the MS PDC conference in LA, and know I've seen reference > to the issue on > > the list a few times. > > > > Here's hoping that mentioning it here helps improve some sites. > > > > Shawn Grover > > > > -----Original Message----- > > > > This is bad for multiple reasons. I don't deny that many > people do it, > > but as a reminder, it's much easier, and quicker, to do: > > > > <cfset temp = form[field]> > > > > Furthermore, this is only an issue if you pass a _function_ as you > > describe below. > > > > > > > In testing somebodies site I have used this to slow his site > > > to a crawl > > > by making a custom form with code like: > > > <form action=""> > > > <input type="text" name="CFUSION_DBCONNECTIONS_FLUSH()"> > > > </form> > > > > Interesting. Good point. This is one more reason why we > need to preach > > to people to NOT use evaluate to get form fields. I need to go on a > > crusade or something. ;) > > > > > ===========================================================> ======== > > Raymond Camden, Principal Spectra Compliance Engineer for Macromedia > > > > Email : [EMAIL PROTECTED] > > Yahoo IM : morpheus > > > > "My ally is the Force, and a powerful ally it is." - Yoda > > > > > ______________________________________________________________________ Get Your Own Dedicated Windows 2000 Server PIII 800 / 256 MB RAM / 40 GB HD / 20 GB MO/XFER Instant Activation � $99/Month � Free Setup http://www.pennyhost.com/redirect.cfm?adcode=coldfusionb FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
