OK. Now I'm really confused. Here I've been slogging through all these
measures to make a SQL insertion attack impossible, and now that I get to
the point of testing, I can't get one to work even with all of my Rube
Goldberg security systems turned off!
This query for example:
<CFSET AttackVar="ValidValue'; DELETE FROM USERS;">
<CFQUERY name="AttackTest" datasource="#dsn#">
SELECT *
FROM DEPARTMENTS
WHERE DEPT_Name = '<CFOUTPUT>#AttackVar#</CFOUTPUT>'
</CFQUERY>
..gets issued (according to the debugging reports returned by CF
Administrator) as:
SELECT *
FROM DEPARTMENTS
WHERE DEPT_Name = 'ValidValue''; DELETE FROM USERS;'
It's as though it knows to "escape" the character. I tried every way I
could think of, and I couldn't get the attack to do anything at all.
Any ideas?
Thanks,
Matthieu
______________________________________________________________________
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
