Isaac, First of all, every time I see your name as it appears on the list (S. Isaac Dealey), my brain for some reason automatically translates it into Sir Isaac Dealey. So if I call you Sir Isaac by accident, I hope that you don't mind. :)
OK. As for the subject at hand: I think I understand why an attack would work in the setting you've laid out. So as long as I'm not lenient or open, I should more or less be okay, it seems. Every time that I have: ...WHERE ColName = #CFVariable# ..I am first validating the variable as a numeric, and then using CFQUERYPARAM around the variable name in the query itself. All of the variables, whether text-based or not, are screened using regexes before submission to a SQL query for any attack patterns I can think of. With that approach, I expected that I'd still have to filter out ' and ; characters, but it sounds like I don't even need to do that. If you or anyone else can verify this, I'd appreciate it. Thanks a lot, Matthieu -----Original Message----- From: S. Isaac Dealey [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 11, 2002 9:17 PM To: CF-Talk Subject: Re: How do I do a SQL insertion attack? To my knowledge "sql insertion attacks" generally only happen (at least in ColdFusion) when your code is fairly lenient / open ... For instance ... something like this... <cflock scope="session"> <cfloop item="x" colleciton="url"> <cfset session[x] = url[x]> </cfloop></cflock> Then on another page <cfquery name="rsdelete"> DELETE FROM #session.sqltable# WHERE #session.sqltable#_ID IN ( #session.selecteditems# ) </cfquery> Or worse yet: <cfquery name="rsdostuff"> #preservesinglequotes(session.sqlstatement)# </cfquery> Now, the person who might have written this code (or code like it) I'm sure would have been expecting all of those variables to have been set by legitimate features of their application or site, however, you can see how easily the open-architecture ( which might make adding new features very easy, if sloppy and error prone ) could and likely would quickly lead to certain unscrupulous people doing things they shouldn't... There are more obscure examples... <cfquery name="rsupdate"> UPDATE USERS SET layoutselection = #url.layoutselection# WHERE USERID = #url.userid# </cfquery> could potentially cause problems if url.layoutselection isn't validated as a number and a user enters something like "&layoutselection=5,securitylevel%XX500" into the url... and suddenly a utility designed to allow the user to change their preferences has allowed them to become an administrator on the site... hth Isaac www.turnkey.to 954-776-0046 ______________________________________________________________________ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
