Because there has been some issues with the cfqueryparam tag (I've had a
love-hate relationship with this tag since CF 4.5), I've made the following
function - does it seem safe? I can't crack it anyway
ALso, it seems that PreserveSingleQuotes() isnt required around values to be
put into the database, eg. myStrField = #dbValue(myStrField,"varchar")#, in
fact I had some errors for some values (e.g. date) when using the
preserveSingleQuotes function.. I noticed the change a while ago. Will it be
a permanent thing that the PreserveSingleQuotes() function is not required
around function results?
<cffunction name="dbValue" output="No">
<cfargument name="value" required="true">
<cfargument name="type" required="true">
<cfargument name="list" default="false">
<cfargument name="maxlen" default="">
<cfargument name="null" default="false">
<cfset var returnValue = arguments.value>
<cfset var v = "">
<cfif arguments.list IS true>
<!--- parse each list value individually --->
<cfset returnValue = "">
<cfloop list="#arguments.value#" index="v">
<cfset returnValue = listAppend(returnValue,
dbValue(v,arguments.type,0,arguments.maxlen,arguments.null))>
</cfloop>
<cfelse>
<cfif listFindNoCase("cf_sql_numeric,numeric",arguments.type)>
<!--- parse numeric values --->
<cfset returnValue =
REReplace(returnValue,"[^\.0-9]*","","all")>
<cfif len(returnValue) IS 0 AND arguments.null IS true>
<cfset returnValue = "NULL">
<cfelseif len(returnValue) IS 0>
<cfthrow message="Invalid numeric value
specified. (value=#value#)">
</cfif>
<cfelseif
listFindNoCase("cf_sql_varchar,varchar",arguments.type)>
<!--- parse string values --->
<cfset returnValue =
REReplace(returnValue,"'","''","all")>
<cfif len(arguments.maxlen)>
<cfset returnValue =
left(returnValue,arguments.maxlen)>
<cfelseif len(returnValue) IS 0 AND arguments.null IS
true>
<cfset returnValue = "NULL">
<cfelse>
<cfset returnValue = "'#returnValue#'">
</cfif>
<cfelseif listFindNoCase("cf_sql_date,date",arguments.type)>
<!--- parse date values --->
<cfif isDate(returnValue)>
<cfset returnValue=createODBCDateTime(value)>
<cfelseif arguments.null IS true>
<cfset returnValue="NULL">
<cfelse>
<cfthrow message="Invalid date value specified.
(value=#value#)">
</cfif>
<cfelse>
<cfthrow message="Invalid argument type specified.
(type=#arguments.type#)">
</cfif>
</cfif>
<cfreturn returnValue>
</cffunction>
Anyway, anyone who has the time to look through can give me some feedback.
It's difficult being the only programmer in a company - never get any
feedback.. We need more programmers but they're hard to find at the moment..
Thanks
Joel
-----Original Message-----
From: [email protected] [mailto:[EMAIL PROTECTED]
Behalf Of Barry Beattie
Sent: Wednesday, 7 June 2006 4:27 PM
To: [email protected]
Subject: [cfaussie] Re: SQL Injection in CF
ahem!
"cfqueryparam"
always!!!
(except for some "select into..." which won't work)
On 6/7/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
>
> Hi Folks,
>
> Read a good article on SQL Injection attacks today:
> http://www.unixwiz.net/techtips/sql-injection.html
>
> I've always been under the impression that quoted form fields are safe
> from SQL injection attacks because CF automatically escapes single
> quotes. So if you have some SQL like this:
> SELECT firstname,surname FROM users
> WHERE firstname = '#form.firstname#'
> it won't really matter if someone tries to put some dodgy SQL into
> form.firstname because any ' character they enter will be turned into
> '' so everything they type will remain quoted.
>
> However, according to the article this can be trivially defeated in
> some dbs like MySQL by escaping a single quote with the \ character.
>
> I have a couple of questions:
> 1. Is this really a problem for MySQL or does CF have some other escape
> mechanism?
> 2. Is there any way of causing this problem in SQL Server?
>
> Thanks in advance
>
> Tim
>
>
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"cfaussie" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at http://groups.google.com/group/cfaussie
-~----------~----~----~----~------~----~------~--~---
