Isaac (and all others who responded on this issue), Thanks very much for your responses. They've been very helpful. Sorry that I didn't send my thanks earlier, but I left town for a few days about twenty minutes after my last post!
Matthieu -----Original Message----- From: S. Isaac Dealey [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 11, 2002 10:52 PM To: CF-Talk Subject: RE: How do I do a SQL insertion attack? > First of all, every time I see your name as it appears > on the list (S. Isaac Dealey), my brain for some > reason automatically translates it into Sir Isaac > Dealey. So if I call you Sir Isaac by accident, I hope > that you don't mind. :) No, it won't bother me... I think you may be confusing me with Newton. Though he's a little older. :) > ..I am first validating the variable as a numeric, and > then using CFQUERYPARAM around the variable > name in the query itself. > > All of the variables, whether text-based or not, are > screened using regexes before submission to a > SQL query for any attack patterns I can think of. Yep, you're _very_ safe. :) > With that approach, I expected that I'd still have to > filter out ' and ; characters, but it sounds like I don't > even need to do that. If you or anyone else can > verify this, I'd appreciate it. I can verify it... the ; will get filtered out of possibly being appended to numeric or date fields by the regex and queryparams ... in string fields where you want users to be able to enter them it shouldn't be a problem because it'll be inside of the string -- and double-quotes unless you bound the variable with preservesinglequotes() will all be escaped, which will prevent the user from breaking out of the string variable. And actually if you're using queryparam to validate it as being a string variable, I don't think there's any way that you _could_ use preservesinglequotes() to choke it, even on the server side with hard-coded strings... Isaac www.turnkey.to 954-776-0046 ______________________________________________________________________ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
