Yup, that's what I *should* have said! Cheers Terry
----------Original Message--------- > You mean "SQL Injection exploit". "Cross site scripting" is a different > exploit. > If you can pass through multiple SQL commands through to your CFQUERY > and your database perms allow the user being used by CF to perform a > drop, then yes. > > > -----Original Message----- > > From: Terry Riley [mailto:[EMAIL PROTECTED] > > Sent: 12 November 2003 11:47 > > To: [EMAIL PROTECTED] > > Subject: RE: [ cf-dev ] Use of <cfqueryparam> > > > > > > OK, I'm convinced! Having run a few tests using CF5/SQL2K, I > > see what you > > mean. > > > > However, shouldn't it be good practice to use the cfsqltype > > attribute, > > and, where chracter variables are concerned, the maxlength attribute > > also? > > > > Is there any way (when the <cfqueryparam> is not being used), > > to cause a > > cross-scripting exploit to (say) drop another table, by > > adding 'DROP TABLE > > xxx' onto the end of a URL - I couldn't get it to work at all. > > > > Cheers > > Terry > > > > ----------Original Message--------- > > > > > The CFSQLTYPE is used to validate the input. Use of the > > cfqueryparam > > > tag will always have the effect of preventing SQL injection. e.g. > > > > > > The following uses a cfquery param tag without the > > cfsqltype attribute: > > > > > > test (Records=1, Time=10ms) > > > SQL = > > > SELECT * > > > FROM event > > > where eventid = ? > > > > > > Query Parameter Value(s) - > > > Parameter #1 = 123 > > > > > > Steve > > > > > > > > > > > > > -----Original Message----- > > > > From: Terry Riley [mailto:[EMAIL PROTECTED] > > > > Sent: 12 November 2003 09:10 > > > > To: [EMAIL PROTECTED] > > > > Subject: Re: [ cf-dev ] Use of <cfqueryparam> > > > > > > > > > > > > But only if qualified by the cfsqltype, as far as I can tell. > > > > > > > > Anyone else care to comment? > > > > > > > > Cheers > > > > Terry > > > > > > > > ----------Original Message--------- > > > > > > > > > Terry, > > > > > > > > > > As I understand it using <cfqueryparam stops any SQL being > > > > hacked in to > > > > > the > > > > > query through the url or form var. It ensures that the > > > > passed variable > > > > > is > > > > > treated as a variable and not read as anything else. > > > > > > > > > > d > > > > > > > > > > ----- Original Message ----- > > > > > From: "Terry Riley" <[EMAIL PROTECTED]> > > > > > To: <[EMAIL PROTECTED]> > > > > > Sent: Tuesday, November 11, 2003 1:30 PM > > > > > Subject: [ cf-dev ] Use of <cfqueryparam> > > > > > > > > > > > > > > > > I've seen a lot of code lately where the query > > (either extracting, > > > > > > inserting or updating information) uses the > > > > > > > > > > > > <cfqueryparam value="#xxx#"> in the WHERE clause, without > > > > qualifying > > > > > > > the > > > > > > parameter with a cfsqltype. > > > > > > > > > > > > I can understand the use of the cfqueryparam with a > > cfsqltype and > > > > > > other > > > > > > attributes as one way of preventing cross-site > > scripting (adding > > > > > > additional text to the string to do something evil), but > > > > see no point > > > > > > in > > > > > > using > > > > > > > > > > > > 'WHERE ID = <cfqueryparam value="#url.ID#">' > > > > > > > > > > > > as opposed to > > > > > > > > > > > > 'WHERE ID = "#url.ID#"' > > > > > > > > > > > > Is there one? Is it faster? Manuals and googles don't > > > > seem to come up > > > > > > with > > > > > > an answer..... > > > > > > > > > > > > Cheers > > > > > > Terry -- ** Archive: http://www.mail-archive.com/dev%40lists.cfdeveloper.co.uk/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For human help, e-mail: [EMAIL PROTECTED]
