What if you added a replace statement, doubling up on all single quotes?...
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 10:47 AM To: CF-Talk Subject: RE: RE: Preventing SQL injection attacks...? still. if i had the value tony ' drop table tablename-- and a cfqueryparam with a type of CF_SQL_VARCHAR it would still pass in the value as such select * from mytable where username = 'tony ' drop table tablename--' which would cause the table to be dropped. Anthony Petruzzi Webmaster 954-321-4703 [EMAIL PROTECTED] http://www.sheriff.org -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 1:45 PM To: CF-Talk Subject: Re: RE: Preventing SQL injection attacks...? <cfqueryparam> does in fact prevent that code from running. <cfqueryparam> creates a prepared statement with parameters. It then compares what you've entered as a value with the datatype you've specified and, if successful, binds the parameters with what you've entered. So, if you entered: select * from table where id = <cfqueryparam value="#url.id#" cfsqltype="CF_SQL_DECIMAL"> and then in your url entered: id=12;drop table yourtable It would through you an error. As well, if you had: select * from table where id = <cfqueryparam value="#url.id#" cfsqltype="CF_SQL_VARCHAR"> It would create the equivalent SQL statement of: select * from table where id = '12;drop table yourtable' ----- Original Message ----- From: [EMAIL PROTECTED] Date: Friday, April 12, 2002 11:00 am Subject: RE: Preventing SQL injection attacks...? > let's say you have a text field that is 100 characters long. you > can still > get a "drop table tablename" appended to the sql statement or > write an > entire sql statment. Cfqueryparam was meant to speed up cfquery, > not be to a > cure all. > > Anthony Petruzzi > Webmaster > 954-321-4703 > [EMAIL PROTECTED] > http://www.sheriff.org > > > -----Original Message----- > From: Zac Spitzer [mailto:[EMAIL PROTECTED]] > Sent: Friday, April 12, 2002 1:06 PM > To: CF-Talk > Subject: Re: Preventing SQL injection attacks...? > > > [EMAIL PROTECTED] wrote: > > >you can't forget that form fields also play a part in this. after > reading>the informaiton provided in jeff's link, it did shine a > light. although i > >have been taught from the beginning to always use val() around > numberic>values (thank Adam) and to use regex to validate text > input (props > Raymond). > >if your anal and take the time to make sure that the information that > people > >are passing you is in the extact fomrat you want, you shouldn't > have a > >problem. also, don't rely on javascript, i always do server-side > validation>even after client side, just to make certain. i even go > as far as putting > as > >much validation as i can into my stored procedures and triggers. > although>SQL server doesn't support regular expressions , which > sucks! anyone know a > >way it could? > > > why not just use cfqueryparam, it validates and it makes your sql > code > run faster??? > > > ______________________________________________________________________ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
