> Could you show me an example of an SQL injection attack? I > want to test my app to see what I need to do to protect > against this.
All of these sorts of attacks rely on tampering with form or URL data to add SQL statements directly to that data, on the assumption that the data may be used in an SQL query, in which case the tampered data may execute within the SQL database. Typically, you'll see examples where you've got a URL like this: http://www.myserver.com/myfile.cfm?id=5;drop%20table%20mytable However, in real life, typically you won't attacks like that because there's nothing to gain from dropping a table or deleting records. Real attacks are usually more subtle and useful to the attacker. One of my favorites is the use of the SQL Server system stored procedure xp_cmdshell to open a command shell, which can be used to fetch a file from an attacker's FTP server and run it. That's much more interesting. Note also that most of the examples you'll see will show tampered URL data, but you can do the same thing with form data almost as easily. Here's a URL which describes SQL injection attacks: http://www.owasp.org/asac/input_validation/sql.shtml Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ______________________________________________________________________ Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
