SQL injection is not language specific. Obviously cfqueryparam is. Another approach I have done in a previous life is on every page request, do loop through the form and url structures and do replace()s on potentially malicious characters. I think that approach is debatable, but in a small system it might make sense.
~Dave On 12/6/05, Chris Gomez <[EMAIL PROTECTED]> wrote: > > Q: Does this only work with cfm files? Could it be done using a html file? > > On 12/6/05, Joe Kelly <[EMAIL PROTECTED]> wrote: > > > > Other than <cfqueryparam> suggestions are to use stored procedures. > > I thought there was a custom tag that cleaned URLs, but you'll have to > > look that up. > > > > Pete Freitag has something > > http://www.petefreitag.com/item/363.cfm > > > > http://www.macromedia.com/devnet/coldfusion/articles/cfqueryparam.html > > > > HTH, > > Joe Kelly > > > > On 12/6/05, Dave Shuck <[EMAIL PROTECTED]> wrote: > > > Think of the following... > > > > > > Say you have an ID for customer creatively named customerID. And > let's > > say > > > we are going to view their account info: > > > http://blah.com/accountInfo.cfm?customerID=2 > > > > > > on the SQL. you might have something like: > > > > > > SELECT stuff > > > FROM customers > > > WHERE customerID = #url.customerID# > > > > > > What if they visitor altered the url to: > > > http://blah.com/accountInfo.cfm?customerID=2;DELETE FROM customers > > > > > > The query has just become: > > > SELECT stuff > > > FROM customers > > > WHERE customerID = 2;DELETE FROM customers > > > > > > > > > Or say you have a login on a site and your SQL is: > > > > > > SELECT * (yeah I know * is bad) > > > FROM users > > > WHERE username = '#form.username#' > > > AND password = '#form.password#' > > > > > > What if the person puts the following in the password input > > field? value: > > > 1' OR 1 = 1 > > > > > > Effectively they have just said > > > SELECT * > > > FROM users > > > WHERE username = 'whatever' > > > AND password = '1' OR 1 = 1 > > > > > > And they are now ogged in as the first user. Those are a couple of > > simple > > > methods. > > > > > > ~Dave > > > > > > > > > On 12/6/05, Chris Gomez <[EMAIL PROTECTED]> wrote: > > > > > > > > I remember reading somewhere that a knowledgable hack could append a > > SQL > > > > statement to a cfm filename (example: index.cfm?Name='Drop > Table')and > > > > cause > > > > it to drop a table. The fix for it was to use cfqueryparams to > filter > > the > > > > data being submitted to the query. Sorry for the lack of info, but > > that's > > > > about all I remember. Does anyone know how this hack works? > > > > > > > > btw, I'm not trying to do this, just figure out how it works and how > > to > > > > prevent it. > > > > > > > > Thanks, > > > > > > > > Chris > > > > _______________________________________________ > > > > List mailing list > > > > Reply to DFWCFUG: > > > > [email protected] > > > > Subscribe/Unsubscribe: > > > > http://lists1.safesecureweb.com/mailman/listinfo/list > > > > List Archive: > > > > http://lists1.safesecureweb.com/mailman/private/list > > > > DFWCFUG Sponsors: www.HostMySite.com www.teksystems.com/ > > > > > > > > > > > > > > > > -- > > > ~Dave Shuck > > > [EMAIL PROTECTED] > > > www.daveshuck.com > > > _______________________________________________ > > > List mailing list > > > Reply to DFWCFUG: > > > [email protected] > > > Subscribe/Unsubscribe: > > > http://lists1.safesecureweb.com/mailman/listinfo/list > > > List Archive: > > > http://lists1.safesecureweb.com/mailman/private/list > > > DFWCFUG Sponsors: www.HostMySite.com www.teksystems.com/ > > > > > > > _______________________________________________ > > List mailing list > > Reply to DFWCFUG: > > [email protected] > > Subscribe/Unsubscribe: > > http://lists1.safesecureweb.com/mailman/listinfo/list > > List Archive: > > http://lists1.safesecureweb.com/mailman/private/list > > DFWCFUG Sponsors: www.HostMySite.com www.teksystems.com/ > > > _______________________________________________ > List mailing list > Reply to DFWCFUG: > [email protected] > Subscribe/Unsubscribe: > http://lists1.safesecureweb.com/mailman/listinfo/list > List Archive: > http://lists1.safesecureweb.com/mailman/private/list > DFWCFUG Sponsors: www.HostMySite.com www.teksystems.com/ > -- ~Dave Shuck [EMAIL PROTECTED] www.daveshuck.com _______________________________________________ List mailing list Reply to DFWCFUG: [email protected] Subscribe/Unsubscribe: http://lists1.safesecureweb.com/mailman/listinfo/list List Archive: http://lists1.safesecureweb.com/mailman/private/list DFWCFUG Sponsors: www.HostMySite.com www.teksystems.com/
