This is wonderful and exactly what I want to hear, but now I wonder: why did I bother doing all this SQL security business in the first place? Will CF ever fail me in this regard? Also, I want to allow users to enter some data with ' and ; inside. I had planned to automatically strip it out, but if CF is smart enough to handle this for me, I don't need to worry about it, right?
Matthieu -----Original Message----- From: Matthew Walker [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 11, 2002 8:56 PM To: CF-Talk Subject: RE: How do I do a SQL insertion attack? Yes. CF is smart enough to do this for you. You could try using PreserveSingleQuotes(). Of course, a visitor isn't going to be able to do that. > -----Original Message----- > From: Cornillon, Matthieu [mailto:[EMAIL PROTECTED]] > Sent: Friday, 12 July 2002 12:40 p.m. > To: CF-Talk > Subject: How do I do a SQL insertion attack? > > > OK. Now I'm really confused. Here I've been slogging > through all these > measures to make a SQL insertion attack impossible, and now > that I get to > the point of testing, I can't get one to work even with all of my Rube > Goldberg security systems turned off! > > This query for example: > > <CFSET AttackVar="ValidValue'; DELETE FROM USERS;"> > <CFQUERY name="AttackTest" datasource="#dsn#"> > SELECT * > FROM DEPARTMENTS > WHERE DEPT_Name = '<CFOUTPUT>#AttackVar#</CFOUTPUT>' > </CFQUERY> > > ..gets issued (according to the debugging reports returned by CF > Administrator) as: > > SELECT * > FROM DEPARTMENTS > WHERE DEPT_Name = 'ValidValue''; DELETE FROM USERS;' > > It's as though it knows to "escape" the character. I tried > every way I > could think of, and I couldn't get the attack to do anything at all. > > Any ideas? > > Thanks, > Matthieu > ______________________________________________________________________ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
