Dunno! I read the comments on Freitags blog, and 3 out of 3 couldn't get it to work - my guess is they didn't restart the server. I guess you could get it to work on HTML pages setting CF to run all your HTML pages. There's pros and cons to that, but why would you need to protect your HTML pages? They shouldn't be affected unless there's a form submission. Then you could use RegEx in your form processing code to strip out the SQL.
Joe Kelly On 12/6/05, Chris Gomez <[EMAIL PROTECTED]> wrote: > Q: Does this only work with cfm files? Could it be done using a html file? > > On 12/6/05, Joe Kelly <[EMAIL PROTECTED]> wrote: > > > > Other than <cfqueryparam> suggestions are to use stored procedures. > > I thought there was a custom tag that cleaned URLs, but you'll have to > > look that up. > > > > Pete Freitag has something > > http://www.petefreitag.com/item/363.cfm > > > > http://www.macromedia.com/devnet/coldfusion/articles/cfqueryparam.html > > > > HTH, > > Joe Kelly > > > > On 12/6/05, Dave Shuck <[EMAIL PROTECTED]> wrote: > > > Think of the following... > > > > > > Say you have an ID for customer creatively named customerID. And let's > > say > > > we are going to view their account info: > > > http://blah.com/accountInfo.cfm?customerID=2 > > > > > > on the SQL. you might have something like: > > > > > > SELECT stuff > > > FROM customers > > > WHERE customerID = #url.customerID# > > > > > > What if they visitor altered the url to: > > > http://blah.com/accountInfo.cfm?customerID=2;DELETE FROM customers > > > > > > The query has just become: > > > SELECT stuff > > > FROM customers > > > WHERE customerID = 2;DELETE FROM customers > > > > > > > > > Or say you have a login on a site and your SQL is: > > > > > > SELECT * (yeah I know * is bad) > > > FROM users > > > WHERE username = '#form.username#' > > > AND password = '#form.password#' > > > > > > What if the person puts the following in the password input > > field? value: > > > 1' OR 1 = 1 > > > > > > Effectively they have just said > > > SELECT * > > > FROM users > > > WHERE username = 'whatever' > > > AND password = '1' OR 1 = 1 > > > > > > And they are now ogged in as the first user. Those are a couple of > > simple > > > methods. > > > > > > ~Dave > > > > > > > > > On 12/6/05, Chris Gomez <[EMAIL PROTECTED]> wrote: > > > > > > > > I remember reading somewhere that a knowledgable hack could append a > > SQL > > > > statement to a cfm filename (example: index.cfm?Name='Drop Table')and > > > > cause > > > > it to drop a table. The fix for it was to use cfqueryparams to filter > > the > > > > data being submitted to the query. Sorry for the lack of info, but > > that's > > > > about all I remember. Does anyone know how this hack works? > > > > > > > > btw, I'm not trying to do this, just figure out how it works and how > > to > > > > prevent it. > > > > > > > > Thanks, > > > > > > > > Chris > > > > _______________________________________________ > > > > List mailing list > > > > Reply to DFWCFUG: > > > > [email protected] > > > > Subscribe/Unsubscribe: > > > > http://lists1.safesecureweb.com/mailman/listinfo/list > > > > List Archive: > > > > http://lists1.safesecureweb.com/mailman/private/list > > > > DFWCFUG Sponsors: www.HostMySite.com www.teksystems.com/ > > > > > > > > > > > > > > > > -- > > > ~Dave Shuck > > > [EMAIL PROTECTED] > > > www.daveshuck.com > > > _______________________________________________ > > > List mailing list > > > Reply to DFWCFUG: > > > [email protected] > > > Subscribe/Unsubscribe: > > > http://lists1.safesecureweb.com/mailman/listinfo/list > > > List Archive: > > > http://lists1.safesecureweb.com/mailman/private/list > > > DFWCFUG Sponsors: www.HostMySite.com www.teksystems.com/ > > > > > > > _______________________________________________ > > List mailing list > > Reply to DFWCFUG: > > [email protected] > > Subscribe/Unsubscribe: > > http://lists1.safesecureweb.com/mailman/listinfo/list > > List Archive: > > http://lists1.safesecureweb.com/mailman/private/list > > DFWCFUG Sponsors: www.HostMySite.com www.teksystems.com/ > > > _______________________________________________ > List mailing list > Reply to DFWCFUG: > [email protected] > Subscribe/Unsubscribe: > http://lists1.safesecureweb.com/mailman/listinfo/list > List Archive: > http://lists1.safesecureweb.com/mailman/private/list > DFWCFUG Sponsors: www.HostMySite.com www.teksystems.com/ > _______________________________________________ List mailing list Reply to DFWCFUG: [email protected] Subscribe/Unsubscribe: http://lists1.safesecureweb.com/mailman/listinfo/list List Archive: http://lists1.safesecureweb.com/mailman/private/list DFWCFUG Sponsors: www.HostMySite.com www.teksystems.com/
