I asked this question at this month's very help fusebox presentation at the
San Diego CFUG http://www.sdcfug.com
The proposed answer was a block of code that prevented any query action page
from being called directly. By forcing everything through the fuses
index.cfm, the form and url validation would occur before being translated
into attributes.
Points of clarification and/or reports of gaping holes are encouraged.
Thanks,
Rick
----- Original Message -----
From: "Steve Nelson" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, July 17, 2000 12:09 PM
Subject: Re: Need to toggle URL and FORM vars
> ALWAYS ALWAYS ALWAYS use either val() or the new <cfqueryparam> tag in
> your SQL statements.
>
> select * from mytable where ID=#val(attributes.id)#
>
> This will eliminate the problem. This problem exists whether you use
> attributes, form, cookie, variables, url, session, etc. It's a database
> issue, not a scoping issue.
>
> Steve
>
> "McCollough, Alan" wrote:
> >
> > I'm not at 100%, but I'm gonna say that NONE OF YA ARE ! I believe we're
on
> > a hot topic here, one worth exploring...
> >
> > OK, I'll play devil's advocate here... Let's say you are
formurl2attributes
> > everything, so all of your form and urls get scoped to attributes. and
in
> > your coding you prefix ALL your vars to attributes.
> >
> > I'd hazard to guess that there are some SQL queries that are built from
> > variables not previously URLable that could now be maliciously modified
with
> > a url-appended variable , "www.foo.com&ID=3(DROP%20DATABASE%20FOO)" or
> > something like that...
> >
> > I'm just tossing ideas out here before I adopt the "scope 'em all"
> > philosophy.
> >
> > Alan McCollough
> > Web Programmer
> > Alaska Native Medical Center
> >
> > > -----Original Message-----
> > > From: Nat Papovich [SMTP:[EMAIL PROTECTED]]
> > > Sent: Monday, July 17, 2000 9:40 AM
> > > To: '[EMAIL PROTECTED]'
> > > Subject: RE: Need to toggle URL and FORM vars
> > >
> > > But if you attributes scope that "dbupdated" variable, you might kiss
> > > yourself later. Imagine if, when demo-ing the yet unfinshed app to
your
> > > client, for some inexplicable reason, dbupdated gets whacked or out of
> > > line
> > > somehow. It's expecting "Widget was added successfully", but it's
getting
> > > "Widget added successfully". Now your app is broken until you access
the
> > > source code and change the conditional to check for the different text
> > > string. But if, in the midst of this demo, you remember that dbupdated
is
> > > attributes scoped, you can append
> > > "dbupdated=Widget%20was%20added%20successfully" to your url string,
and it
> > > works! (provided that cfset was instead a cfparam, but you get the
idea).
> > >
> > > Now before eveyone points out the obvious security loopholes here,
I'll
> > > say
> > > it. IMPROPER CODING CREATES OBVIOUS SECURITY LOOPHOLES. This allows
for
> > > greater flexibility, but more chance of things going "differently".
> > >
> > > Also, if you use attributes scope in your logic code, you can do cool
> > > stuff
> > > like post the search string to the url string so if a user wants to
> > > bookmark
> > > a search results page, they sure as heck can, because the your search
> > > results processing page will handle a search query via a form
variable,
> > > url
> > > variable, or (heck) even attributes variable if you ever wanted to
> > > cfmodule
> > > your search circuit.
> > >
> > > 100%?
> > >
> > > -----Original Message-----
> > > From: Erik Voldengen [mailto:[EMAIL PROTECTED]]
> > > Sent: Monday, July 17, 2000 10:05 AM
> > > To: '[EMAIL PROTECTED]'
> > > Subject: RE: Need to toggle URL and FORM vars
> > >
> > >
> > > Nope. Now you are down to 97%.
> > >
> > > The VARIABLES scope is great for things like:
> > >
> > > <cfset dbupdated="Widget was added successfully">
> > >
> > > in an act file, and
> > >
> > > <cfoutput>#Variables.dbupdated#</cfoutput>
> > >
> > > in a dsp_ file that immediately follows that act_ file
> > > within the <CFCASE>.
> > >
> > >
> > > > -----Original Message-----
> > > > From: McCollough, Alan [mailto:[EMAIL PROTECTED]]
> > > > Sent: Monday, July 17, 2000 9:58 AM
> > > > To: '[EMAIL PROTECTED]'
> > > > Subject: RE: Need to toggle URL and FORM vars
> > > >
> > > >
> > > > Ah, the lightbulb is up to 98% on. So as a principle, do you
> > > > scope every
> > > > occurence of a variable with the attributes. prefix?
> > > >
> > > > Alan McCollough
> > > > Web Programmer
> > > > Alaska Native Medical Center
> >
> --------------------------------------------------------------------------
> > > --
> > > --
> > > To Unsubscribe visit
> > >
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or
> > > send a message to [EMAIL PROTECTED] with 'unsubscribe'
in
> > > the body.
> >
> --------------------------------------------------------------------------
> > > ----
> > > To Unsubscribe visit
> > >
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or
> > > send a message to [EMAIL PROTECTED] with 'unsubscribe'
in
> > > the body.
>
> --------------------------------------------------------------------------
----
> > To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.
> --------------------------------------------------------------------------
----
> To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.
__________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com
------------------------------------------------------------------------------
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
