Sorry Dave...Didn't mean to send that just to you...My mistake!
I never really thought of anything like this. Can session variables be compromised doing the same thing.. http://mydomain.com/index.cfm?session.password=whatever If so, this would be very upsetting to me. Thanks, Brian Yager President - North AL Cold Fusion Users Group Sr. Systems Analyst NCCIM/CIC [EMAIL PROTECTED] (256) 842-8342 -----Original Message----- From: Dave Watts [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 11:36 AM To: '[EMAIL PROTECTED]' Cc: '[EMAIL PROTECTED]' Subject: RE: Preventing SQL injection attacks...? > Could you show me an example of an SQL injection attack? I > want to test my app to see what I need to do to protect > against this. All of these sorts of attacks rely on tampering with form or URL data to add SQL statements directly to that data, on the assumption that the data may be used in an SQL query, in which case the tampered data may execute within the SQL database. Typically, you'll see examples where you've got a URL like this: http://www.myserver.com/myfile.cfm?id=5;drop%20table%20mytable However, in real life, typically you won't attacks like that because there's nothing to gain from dropping a table or deleting records. Real attacks are usually more subtle and useful to the attacker. One of my favorites is the use of the SQL Server system stored procedure xp_cmdshell to open a command shell, which can be used to fetch a file from an attacker's FTP server and run it. That's much more interesting. Note also that most of the examples you'll see will show tampered URL data, but you can do the same thing with form data almost as easily. Here's a URL which describes SQL injection attacks: http://www.owasp.org/asac/input_validation/sql.shtml Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ______________________________________________________________________ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
