ALWAYS ALWAYS ALWAYS use either val() or the new <cfqueryparam> tag in
your SQL statements.
select * from mytable where ID=#val(attributes.id)#
This will eliminate the problem. This problem exists whether you use
attributes, form, cookie, variables, url, session, etc. It's a database
issue, not a scoping issue.
Steve
"McCollough, Alan" wrote:
>
> I'm not at 100%, but I'm gonna say that NONE OF YA ARE ! I believe we're on
> a hot topic here, one worth exploring...
>
> OK, I'll play devil's advocate here... Let's say you are formurl2attributes
> everything, so all of your form and urls get scoped to attributes. and in
> your coding you prefix ALL your vars to attributes.
>
> I'd hazard to guess that there are some SQL queries that are built from
> variables not previously URLable that could now be maliciously modified with
> a url-appended variable , "www.foo.com&ID=3(DROP%20DATABASE%20FOO)" or
> something like that...
>
> I'm just tossing ideas out here before I adopt the "scope 'em all"
> philosophy.
>
> Alan McCollough
> Web Programmer
> Alaska Native Medical Center
>
> > -----Original Message-----
> > From: Nat Papovich [SMTP:[EMAIL PROTECTED]]
> > Sent: Monday, July 17, 2000 9:40 AM
> > To: '[EMAIL PROTECTED]'
> > Subject: RE: Need to toggle URL and FORM vars
> >
> > But if you attributes scope that "dbupdated" variable, you might kiss
> > yourself later. Imagine if, when demo-ing the yet unfinshed app to your
> > client, for some inexplicable reason, dbupdated gets whacked or out of
> > line
> > somehow. It's expecting "Widget was added successfully", but it's getting
> > "Widget added successfully". Now your app is broken until you access the
> > source code and change the conditional to check for the different text
> > string. But if, in the midst of this demo, you remember that dbupdated is
> > attributes scoped, you can append
> > "dbupdated=Widget%20was%20added%20successfully" to your url string, and it
> > works! (provided that cfset was instead a cfparam, but you get the idea).
> >
> > Now before eveyone points out the obvious security loopholes here, I'll
> > say
> > it. IMPROPER CODING CREATES OBVIOUS SECURITY LOOPHOLES. This allows for
> > greater flexibility, but more chance of things going "differently".
> >
> > Also, if you use attributes scope in your logic code, you can do cool
> > stuff
> > like post the search string to the url string so if a user wants to
> > bookmark
> > a search results page, they sure as heck can, because the your search
> > results processing page will handle a search query via a form variable,
> > url
> > variable, or (heck) even attributes variable if you ever wanted to
> > cfmodule
> > your search circuit.
> >
> > 100%?
> >
> > -----Original Message-----
> > From: Erik Voldengen [mailto:[EMAIL PROTECTED]]
> > Sent: Monday, July 17, 2000 10:05 AM
> > To: '[EMAIL PROTECTED]'
> > Subject: RE: Need to toggle URL and FORM vars
> >
> >
> > Nope. Now you are down to 97%.
> >
> > The VARIABLES scope is great for things like:
> >
> > <cfset dbupdated="Widget was added successfully">
> >
> > in an act file, and
> >
> > <cfoutput>#Variables.dbupdated#</cfoutput>
> >
> > in a dsp_ file that immediately follows that act_ file
> > within the <CFCASE>.
> >
> >
> > > -----Original Message-----
> > > From: McCollough, Alan [mailto:[EMAIL PROTECTED]]
> > > Sent: Monday, July 17, 2000 9:58 AM
> > > To: '[EMAIL PROTECTED]'
> > > Subject: RE: Need to toggle URL and FORM vars
> > >
> > >
> > > Ah, the lightbulb is up to 98% on. So as a principle, do you
> > > scope every
> > > occurence of a variable with the attributes. prefix?
> > >
> > > Alan McCollough
> > > Web Programmer
> > > Alaska Native Medical Center
> > --------------------------------------------------------------------------
> > --
> > --
> > To Unsubscribe visit
> > http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or
> > send a message to [EMAIL PROTECTED] with 'unsubscribe' in
> > the body.
> > --------------------------------------------------------------------------
> > ----
> > To Unsubscribe visit
> > http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or
> > send a message to [EMAIL PROTECTED] with 'unsubscribe' in
> > the body.
> ------------------------------------------------------------------------------
> To Unsubscribe visit
>http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or send a
>message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
------------------------------------------------------------------------------
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
