Have you tried this test case on Coldfusion 9 ? A
On 21 September 2011 10:11, dRD <[email protected]> wrote: > Posted already an issue to OBD's issue tracker, but thought, I might > as well post the bug here as well.. > > To put it simply, OBD's single quote escaping is slightly broken and > doesn't behave like it should, according to my understanding of CFML's > standards. Basically, inline variables, when put into CFQUERY are > properly escaped for their single quotes, but when you use OBD's built- > in functions inside CFQUERY, the resulting strings aren't escaped. > Sure, the problem could be solved by using cfqueryparam instead, but > as most of the CFML developers I know, don't use cfqueryparam in every > possible case imagined, that's quite major problem. > > Basically, now, any code that uses built-in OBD functions inside > CFQUERY, are exposed to SQL injection attacks. > > Test scenarios that can be reproduced: > > --- > > <cfparam name="hippo" default="v6_0'hep" /> > > <cfquery name="works" datasource="#ds#"> > SELECT version_id, latest FROM dl_software_version > WHERE html_file_name = '#hippo#' > </cfquery> > > <cfquery name="works_too" datasource="#ds#"> > SELECT version_id, latest FROM dl_software_version > WHERE html_file_name = <cfqueryparam value="#trim(hippo)#" > cfsqltype="cf_sql_varchar"> > </cfquery> > > <cfset happo="#trim(hippo)#"/> > > <cfquery name="works_also" datasource="#ds#"> > SELECT version_id, latest FROM dl_software_version > WHERE html_file_name = '#happo#' > </cfquery> > > <cfquery name="doesnt_work" datasource="#ds#"> > SELECT version_id, latest FROM dl_software_version > WHERE html_file_name = '#trim(hippo)#' > </cfquery> > > --- > > I filed this as an issue #377. > > Best, > > -Petteri > > -- > official tag/function reference: http://openbd.org/manual/ > mailing list - http://groups.google.com/group/openbd?hl=en > -- Alex Skinner Managing Director Pixl8 Interactive Tel: +448452600726 Email: [email protected] Web: pixl8.co.uk -- official tag/function reference: http://openbd.org/manual/ mailing list - http://groups.google.com/group/openbd?hl=en
