No. That would end up the URL scope: url.session.password
----- Original Message ----- From: "Yager, Brian T Contractor/NCCIM" <[EMAIL PROTECTED]> Date: Friday, April 12, 2002 11:55 am Subject: FW: Preventing SQL injection attacks...? > Sorry Dave...Didn't mean to send that just to you...My mistake! > > > > I never really thought of anything like this. Can session > variables be > compromised doing the same thing.. > > http://mydomain.com/index.cfm?session.password=whatever > > If so, this would be very upsetting to me. > > Thanks, > > Brian Yager > President - North AL Cold Fusion Users Group > Sr. Systems Analyst > NCCIM/CIC > [EMAIL PROTECTED] > (256) 842-8342 > > > -----Original Message----- > From: Dave Watts [mailto:[EMAIL PROTECTED]] > Sent: Friday, April 12, 2002 11:36 AM > To: '[EMAIL PROTECTED]' > Cc: '[EMAIL PROTECTED]' > Subject: RE: Preventing SQL injection attacks...? > > > > Could you show me an example of an SQL injection attack? I > > want to test my app to see what I need to do to protect > > against this. > > All of these sorts of attacks rely on tampering with form or URL > data to add > SQL statements directly to that data, on the assumption that the > data may be > used in an SQL query, in which case the tampered data may execute > within the > SQL database. Typically, you'll see examples where you've got a > URL like > this: > > http://www.myserver.com/myfile.cfm?id=5;drop%20table%20mytable > > However, in real life, typically you won't attacks like that > because there's > nothing to gain from dropping a table or deleting records. Real > attacks are > usually more subtle and useful to the attacker. One of my > favorites is the > use of the SQL Server system stored procedure xp_cmdshell to open > a command > shell, which can be used to fetch a file from an attacker's FTP > server and > run it. That's much more interesting. > > Note also that most of the examples you'll see will show tampered > URL data, > but you can do the same thing with form data almost as easily. > > Here's a URL which describes SQL injection attacks: > http://www.owasp.or > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > voice: (202) 797-5496 > fax: (202) 797-5444 > ______________________________________________________________________ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
