Yes. CF is smart enough to do this for you. You could try using PreserveSingleQuotes(). Of course, a visitor isn't going to be able to do that.
> -----Original Message----- > From: Cornillon, Matthieu [mailto:[EMAIL PROTECTED]] > Sent: Friday, 12 July 2002 12:40 p.m. > To: CF-Talk > Subject: How do I do a SQL insertion attack? > > > OK. Now I'm really confused. Here I've been slogging > through all these > measures to make a SQL insertion attack impossible, and now > that I get to > the point of testing, I can't get one to work even with all of my Rube > Goldberg security systems turned off! > > This query for example: > > <CFSET AttackVar="ValidValue'; DELETE FROM USERS;"> > <CFQUERY name="AttackTest" datasource="#dsn#"> > SELECT * > FROM DEPARTMENTS > WHERE DEPT_Name = '<CFOUTPUT>#AttackVar#</CFOUTPUT>' > </CFQUERY> > > ..gets issued (according to the debugging reports returned by CF > Administrator) as: > > SELECT * > FROM DEPARTMENTS > WHERE DEPT_Name = 'ValidValue''; DELETE FROM USERS;' > > It's as though it knows to "escape" the character. I tried > every way I > could think of, and I couldn't get the attack to do anything at all. > > Any ideas? > > Thanks, > Matthieu > ______________________________________________________________________ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
