what is regex? I don't see it in my functions list (Forta CF5 Web Application Kit).
Brian Yager President - North AL Cold Fusion Users Group Sr. Systems Analyst NCCIM/CIC [EMAIL PROTECTED] (256) 842-8342 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 11:42 AM To: CF-Talk Subject: RE: Preventing SQL injection attacks...? you can't forget that form fields also play a part in this. after reading the informaiton provided in jeff's link, it did shine a light. although i have been taught from the beginning to always use val() around numberic values (thank Adam) and to use regex to validate text input (props Raymond). if your anal and take the time to make sure that the information that people are passing you is in the extact fomrat you want, you shouldn't have a problem. also, don't rely on javascript, i always do server-side validation even after client side, just to make certain. i even go as far as putting as much validation as i can into my stored procedures and triggers. although SQL server doesn't support regular expressions , which sucks! anyone know a way it could? Anthony Petruzzi Webmaster 954-321-4703 [EMAIL PROTECTED] http://www.sheriff.org -----Original Message----- From: Dave Watts [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 12:36 PM To: CF-Talk Subject: RE: Preventing SQL injection attacks...? > Could you show me an example of an SQL injection attack? I > want to test my app to see what I need to do to protect > against this. All of these sorts of attacks rely on tampering with form or URL data to add SQL statements directly to that data, on the assumption that the data may be used in an SQL query, in which case the tampered data may execute within the SQL database. Typically, you'll see examples where you've got a URL like this: http://www.myserver.com/myfile.cfm?id=5;drop%20table%20mytable However, in real life, typically you won't attacks like that because there's nothing to gain from dropping a table or deleting records. Real attacks are usually more subtle and useful to the attacker. One of my favorites is the use of the SQL Server system stored procedure xp_cmdshell to open a command shell, which can be used to fetch a file from an attacker's FTP server and run it. That's much more interesting. Note also that most of the examples you'll see will show tampered URL data, but you can do the same thing with form data almost as easily. Here's a URL which describes SQL injection attacks: http://www.owasp.org/asac/input_validation/sql.shtml Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ______________________________________________________________________ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
