Let's say your query is: Select productName from products where productID = #url.productid#
If the url is page.cfm?productid=2 then your db sees Select productName from products where productID = 2 But if a "hacker" (I hate that term - may eternal scorn to given to those who usurped the term and used it as a synonym for "cracker") enters this url: Page.cfm?productid=2;delete%20from%20products Then your DB sees: Select productName from products where productsID = 2;delete from products --- Billy Cravens -----Original Message----- From: Yager, Brian T Contractor/NCCIM [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 10:36 AM To: CF-Talk Subject: RE: Preventing SQL injection attacks...? Dave, Could you show me an example of an SQL injection attack? I want to test my app to see what I need to do to protect against this. Thanks, Brian Yager President - North AL Cold Fusion Users Group Sr. Systems Analyst NCCIM/CIC [EMAIL PROTECTED] (256) 842-8342 -----Original Message----- From: Dave Watts [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 10:30 AM To: CF-Talk Subject: RE: Preventing SQL injection attacks...? > make sure you are at the latest MDAC and have all service > pack applied for SQL. I think that the latest MDAC prevents > attacks like this, but I could be wrong. No, MDAC does nothing to prevent SQL injection attacks, which, after all, use perfectly valid SQL statements. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ______________________________________________________________________ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
