Other than doing '%partial strings%', why would you ever *not* use <cfqueryparam>? To me, it seems like an obvious and easy solution to the problem.
Additionally, if you create objects to manage the writing and reading of data to your database, then you can easily add yet another level of safety by typing all arguments to and from the methods. Just another $0.02. :) ~Dave On 12/6/05, Lewis, David <[EMAIL PROTECTED]> wrote: > > You'd have to get the quotes closed for it to see the semi-colon and > additonal commands, and I don't think CF will let you do that, from what I > can tell...unless you are using the PreserveSingleQuotes function on the > parameter..that would allow it to work. > > We probably should not trust CF to do this for us tho..I need to look back > at some of the suggestions. > > But..if this is the case, then the real worry for a beginning programmer > is > just the numeric parameters...you can check em with "IsNumeric" before > using > them in a query.. > > -----Original Message----- > From: Knipp, Eric [mailto:[EMAIL PROTECTED] > Sent: Tuesday, December 06, 2005 4:46 PM > To: Dallas/Fort Worth ColdFusion User Group Mailing List > Subject: RE: [DFW CFUG] cfm hacks > > > If an attacker adds a semicolon to the query string additional commands > could be executed .. wouldn't this be a problem. > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Lewis, David > Sent: Tuesday, December 06, 2005 2:35 PM > To: 'Dallas/Fort Worth ColdFusion User Group Mailing List' > Subject: RE: [DFW CFUG] cfm hacks > > Can anyone show that this example is still vulnerable in current CF > versions? I'm seeing that CF escapes the quote mark and your parm string > stays intact..ie.. > > SELECT * > FROM users > WHERE username = 'whatever' > AND password = '1'' OR 1 = 1' > > -----Original Message----- > From: Dave Shuck [mailto:[EMAIL PROTECTED] > Sent: Tuesday, December 06, 2005 3:45 PM > To: Dallas/Fort Worth ColdFusion User Group Mailing List > Subject: Re: [DFW CFUG] cfm hacks > > <snip> > > Or say you have a login on a site and your SQL is: > > SELECT * (yeah I know * is bad) > FROM users > WHERE username = '#form.username#' > AND password = '#form.password#' > > What if the person puts the following in the password input field? value: > 1' OR 1 = 1 > > Effectively they have just said > SELECT * > FROM users > WHERE username = 'whatever' > AND password = '1' OR 1 = 1 > > And they are now ogged in as the first user. Those are a couple of > simple > methods. > > ~Dave > > _______________________________________________ > List mailing list > Reply to DFWCFUG: > [email protected] > Subscribe/Unsubscribe: > http://lists1.safesecureweb.com/mailman/listinfo/list > List Archive: > http://lists1.safesecureweb.com/mailman/private/list > DFWCFUG Sponsors: www.HostMySite.com www.teksystems.com/ > > CONFIDENTIALITY NOTICE: The information contained in this e-mail and > attached document(s) may contain confidential information that is intended > only for the addressee(s). If you are not the intended recipient, you are > hereby advised that any disclosure, copying, distribution or the taking of > any action in reliance upon the information is prohibited. If you have > received this e-mail in error, please immediately notify the sender and > delete it from your system. > > _______________________________________________ > List mailing list > Reply to DFWCFUG: > [email protected] > Subscribe/Unsubscribe: > http://lists1.safesecureweb.com/mailman/listinfo/list > List Archive: > http://lists1.safesecureweb.com/mailman/private/list > DFWCFUG Sponsors: www.HostMySite.com www.teksystems.com/ > > _______________________________________________ > List mailing list > Reply to DFWCFUG: > [email protected] > Subscribe/Unsubscribe: > http://lists1.safesecureweb.com/mailman/listinfo/list > List Archive: > http://lists1.safesecureweb.com/mailman/private/list > DFWCFUG Sponsors: www.HostMySite.com www.teksystems.com/ > -- ~Dave Shuck [EMAIL PROTECTED] www.daveshuck.com _______________________________________________ List mailing list Reply to DFWCFUG: [email protected] Subscribe/Unsubscribe: http://lists1.safesecureweb.com/mailman/listinfo/list List Archive: http://lists1.safesecureweb.com/mailman/private/list DFWCFUG Sponsors: www.HostMySite.com www.teksystems.com/
