Think of it terms of "securing your database"! Joe Kelly On 12/7/05, Lewis, David <[EMAIL PROTECTED]> wrote: > Good point, looks like I need to retrain some developers :) > > It sure does junk up the CFQUERY code though.. > > -----Original Message----- > From: Dave Shuck [mailto:[EMAIL PROTECTED] > Sent: Tuesday, December 06, 2005 9:27 PM > To: Dallas/Fort Worth ColdFusion User Group Mailing List > Subject: Re: [DFW CFUG] cfm hacks > > > Other than doing '%partial strings%', why would you ever *not* use > <cfqueryparam>? To me, it seems like an obvious and easy solution to the > problem. > > Additionally, if you create objects to manage the writing and reading of > data to your database, then you can easily add yet another level of safety > by typing all arguments to and from the methods. Just another $0.02. :) > > ~Dave > > On 12/6/05, Lewis, David <[EMAIL PROTECTED]> wrote: > > > > You'd have to get the quotes closed for it to see the semi-colon and > > additonal commands, and I don't think CF will let you do that, from > > what I can tell...unless you are using the PreserveSingleQuotes > > function on the parameter..that would allow it to work. > > > > We probably should not trust CF to do this for us tho..I need to look > > back at some of the suggestions. > > > > But..if this is the case, then the real worry for a beginning > > programmer is just the numeric parameters...you can check em with > > "IsNumeric" before using > > them in a query.. > > > > -----Original Message----- > > From: Knipp, Eric [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, December 06, 2005 4:46 PM > > To: Dallas/Fort Worth ColdFusion User Group Mailing List > > Subject: RE: [DFW CFUG] cfm hacks > > > > > > If an attacker adds a semicolon to the query string additional > > commands could be executed .. wouldn't this be a problem. > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] > > On Behalf Of Lewis, David > > Sent: Tuesday, December 06, 2005 2:35 PM > > To: 'Dallas/Fort Worth ColdFusion User Group Mailing List' > > Subject: RE: [DFW CFUG] cfm hacks > > > > Can anyone show that this example is still vulnerable in current CF > > versions? I'm seeing that CF escapes the quote mark and your parm > > string stays intact..ie.. > > > > SELECT * > > FROM users > > WHERE username = 'whatever' > > AND password = '1'' OR 1 = 1' > > > > -----Original Message----- > > From: Dave Shuck [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, December 06, 2005 3:45 PM > > To: Dallas/Fort Worth ColdFusion User Group Mailing List > > Subject: Re: [DFW CFUG] cfm hacks > > > > <snip> > > > > Or say you have a login on a site and your SQL is: > > > > SELECT * (yeah I know * is bad) > > FROM users > > WHERE username = '#form.username#' > > AND password = '#form.password#' > > > > What if the person puts the following in the password input field? > > value: 1' OR 1 = 1 > > > > Effectively they have just said > > SELECT * > > FROM users > > WHERE username = 'whatever' > > AND password = '1' OR 1 = 1 > > > > And they are now ogged in as the first user. Those are a couple of > > simple > > methods. > > > > ~Dave > > > > _______________________________________________ > > List mailing list > > Reply to DFWCFUG: > > [email protected] > > Subscribe/Unsubscribe: > > http://lists1.safesecureweb.com/mailman/listinfo/list > > List Archive: http://lists1.safesecureweb.com/mailman/private/list > > DFWCFUG Sponsors: www.HostMySite.com www.teksystems.com/ > > > > CONFIDENTIALITY NOTICE: The information contained in this e-mail and > > attached document(s) may contain confidential information that is > > intended only for the addressee(s). If you are not the intended > > recipient, you are hereby advised that any disclosure, copying, > > distribution or the taking of any action in reliance upon the > > information is prohibited. If you have received this e-mail in error, > > please immediately notify the sender and delete it from your system. > > > > _______________________________________________ > > List mailing list > > Reply to DFWCFUG: > > [email protected] > > Subscribe/Unsubscribe: > > http://lists1.safesecureweb.com/mailman/listinfo/list > > List Archive: http://lists1.safesecureweb.com/mailman/private/list > > DFWCFUG Sponsors: www.HostMySite.com www.teksystems.com/ > > > > _______________________________________________ > > List mailing list > > Reply to DFWCFUG: > > [email protected] > > Subscribe/Unsubscribe: > > http://lists1.safesecureweb.com/mailman/listinfo/list > > List Archive: http://lists1.safesecureweb.com/mailman/private/list > > DFWCFUG Sponsors: www.HostMySite.com www.teksystems.com/ > > > > > > -- > ~Dave Shuck > [EMAIL PROTECTED] > www.daveshuck.com > _______________________________________________ > List mailing list > Reply to DFWCFUG: > [email protected] > Subscribe/Unsubscribe: > http://lists1.safesecureweb.com/mailman/listinfo/list > List Archive: > http://lists1.safesecureweb.com/mailman/private/list > DFWCFUG Sponsors: www.HostMySite.com www.teksystems.com/ > > _______________________________________________ > List mailing list > Reply to DFWCFUG: > [email protected] > Subscribe/Unsubscribe: > http://lists1.safesecureweb.com/mailman/listinfo/list > List Archive: > http://lists1.safesecureweb.com/mailman/private/list > DFWCFUG Sponsors: www.HostMySite.com www.teksystems.com/ >
_______________________________________________ List mailing list Reply to DFWCFUG: [email protected] Subscribe/Unsubscribe: http://lists1.safesecureweb.com/mailman/listinfo/list List Archive: http://lists1.safesecureweb.com/mailman/private/list DFWCFUG Sponsors: www.HostMySite.com www.teksystems.com/
