Posted already an issue to OBD's issue tracker, but thought, I might
as well post the bug here as well..
To put it simply, OBD's single quote escaping is slightly broken and
doesn't behave like it should, according to my understanding of CFML's
standards. Basically, inline variables, when put into CFQUERY are
properly escaped for their single quotes, but when you use OBD's built-
in functions inside CFQUERY, the resulting strings aren't escaped.
Sure, the problem could be solved by using cfqueryparam instead, but
as most of the CFML developers I know, don't use cfqueryparam in every
possible case imagined, that's quite major problem.
Basically, now, any code that uses built-in OBD functions inside
CFQUERY, are exposed to SQL injection attacks.
Test scenarios that can be reproduced:
---
<cfparam name="hippo" default="v6_0'hep" />
<cfquery name="works" datasource="#ds#">
SELECT version_id, latest FROM dl_software_version
WHERE html_file_name = '#hippo#'
</cfquery>
<cfquery name="works_too" datasource="#ds#">
SELECT version_id, latest FROM dl_software_version
WHERE html_file_name = <cfqueryparam value="#trim(hippo)#"
cfsqltype="cf_sql_varchar">
</cfquery>
<cfset happo="#trim(hippo)#"/>
<cfquery name="works_also" datasource="#ds#">
SELECT version_id, latest FROM dl_software_version
WHERE html_file_name = '#happo#'
</cfquery>
<cfquery name="doesnt_work" datasource="#ds#">
SELECT version_id, latest FROM dl_software_version
WHERE html_file_name = '#trim(hippo)#'
</cfquery>
---
I filed this as an issue #377.
Best,
-Petteri
--
official tag/function reference: http://openbd.org/manual/
mailing list - http://groups.google.com/group/openbd?hl=en
