To my knowledge "sql insertion attacks" generally only happen (at least in
ColdFusion) when your code is fairly lenient / open ...
For instance ... something like this...
<cflock scope="session">
<cfloop item="x" colleciton="url">
<cfset session[x] = url[x]>
</cfloop></cflock>
Then on another page
<cfquery name="rsdelete">
DELETE FROM #session.sqltable#
WHERE #session.sqltable#_ID
IN ( #session.selecteditems# )
</cfquery>
Or worse yet:
<cfquery name="rsdostuff">
#preservesinglequotes(session.sqlstatement)#
</cfquery>
Now, the person who might have written this code (or code like it) I'm sure
would have been expecting all of those variables to have been set by
legitimate features of their application or site, however, you can see how
easily the open-architecture ( which might make adding new features very
easy, if sloppy and error prone ) could and likely would quickly lead to
certain unscrupulous people doing things they shouldn't...
There are more obscure examples...
<cfquery name="rsupdate">
UPDATE USERS SET
layoutselection = #url.layoutselection#
WHERE USERID = #url.userid#
</cfquery>
could potentially cause problems if url.layoutselection isn't validated as a
number and a user enters something like
"&layoutselection=5,securitylevel%XX500" into the url... and suddenly a
utility designed to allow the user to change their preferences has allowed
them to become an administrator on the site...
hth
Isaac
www.turnkey.to
954-776-0046
______________________________________________________________________
Your ad could be here. Monies from ads go to support these lists and provide more
resources for the community. http://www.fusionauthority.com/ads.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
