I believe it's call a "SQL Inject", and is basically what you've
described. Pretty much any time you're doing something with the database
that's including user modifiable data (from a form, from a URL, from a
cookie), you have to add the cfqueryparam.
I'm not sure there's much more to that, but I'd love to be proven wrong
so I can learn too.
Chris Gomez wrote:
I remember reading somewhere that a knowledgable hack could append a SQL
statement to a cfm filename (example: index.cfm?Name='Drop Table')and cause
it to drop a table. The fix for it was to use cfqueryparams to filter the
data being submitted to the query. Sorry for the lack of info, but that's
about all I remember. Does anyone know how this hack works?
btw, I'm not trying to do this, just figure out how it works and how to
prevent it.
Thanks,
Chris
_______________________________________________
List mailing list
Reply to DFWCFUG:
[email protected]
Subscribe/Unsubscribe:
http://lists1.safesecureweb.com/mailman/listinfo/list
List Archive:
http://lists1.safesecureweb.com/mailman/private/list
DFWCFUG Sponsors: www.HostMySite.com www.teksystems.com/
_______________________________________________
List mailing list
Reply to DFWCFUG:
[email protected]
Subscribe/Unsubscribe:
http://lists1.safesecureweb.com/mailman/listinfo/list
List Archive:
http://lists1.safesecureweb.com/mailman/private/list
DFWCFUG Sponsors: www.HostMySite.com www.teksystems.com/
