Matthew, Thanks for your help on this. For numeric fields, I am using CFQUERYPARAM, because it's easy to say that I only want a number when I want a number. I'll watch for this on dates as well, although I currently don't allow users to input dates anywhere in the system. Text is really the only area of concern. So it looks like I can skip any ' or ; replacing.
Thanks again, Matthieu -----Original Message----- From: Matthew Walker [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 11, 2002 9:15 PM To: CF-Talk Subject: RE: How do I do a SQL insertion attack? I guess a concern might be where a numeric field is expected: WHERE DEPT_id = <CFOUTPUT>#AttackVar#</CFOUTPUT> Here you can use #Val(AttackVar)# to stop security problems and ugly database errors. Another area of concern could be dates, which you can enclose in hashes (#). Personally I always use CreateODBCDate() anyway. > -----Original Message----- > From: Cornillon, Matthieu [mailto:[EMAIL PROTECTED]] > Sent: Friday, 12 July 2002 12:57 p.m. > To: CF-Talk > Subject: RE: How do I do a SQL insertion attack? > > > This is wonderful and exactly what I want to hear, but now I > wonder: why did > I bother doing all this SQL security business in the first > place? Will CF > ever fail me in this regard? Also, I want to allow users to > enter some data > with ' and ; inside. I had planned to automatically strip it > out, but if CF > is smart enough to handle this for me, I don't need to worry about it, > right? > > Matthieu > > -----Original Message----- > From: Matthew Walker [mailto:[EMAIL PROTECTED]] > Sent: Thursday, July 11, 2002 8:56 PM > To: CF-Talk > Subject: RE: How do I do a SQL insertion attack? > > > Yes. CF is smart enough to do this for you. You could try using > PreserveSingleQuotes(). Of course, a visitor isn't going to be able to > do that. > > > -----Original Message----- > > From: Cornillon, Matthieu [mailto:[EMAIL PROTECTED]] > > Sent: Friday, 12 July 2002 12:40 p.m. > > To: CF-Talk > > Subject: How do I do a SQL insertion attack? > > > > > > OK. Now I'm really confused. Here I've been slogging > > through all these > > measures to make a SQL insertion attack impossible, and now > > that I get to > > the point of testing, I can't get one to work even with all > of my Rube > > Goldberg security systems turned off! > > > > This query for example: > > > > <CFSET AttackVar="ValidValue'; DELETE FROM USERS;"> > > <CFQUERY name="AttackTest" datasource="#dsn#"> > > SELECT * > > FROM DEPARTMENTS > > WHERE DEPT_Name = '<CFOUTPUT>#AttackVar#</CFOUTPUT>' > > </CFQUERY> > > > > ..gets issued (according to the debugging reports returned by CF > > Administrator) as: > > > > SELECT * > > FROM DEPARTMENTS > > WHERE DEPT_Name = 'ValidValue''; DELETE FROM USERS;' > > > > It's as though it knows to "escape" the character. I tried > > every way I > > could think of, and I couldn't get the attack to do anything at all. > > > > Any ideas? > > > > Thanks, > > Matthieu > > > > ______________________________________________________________________ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
