Hi,
Enable robust exception information is checked in CF admin. So I guss it does
not make a difference.
[EMAIL PROTECTED] 30/03/2006 5:32 pm
Scott,
does the amount of information available to the site-wide template
change when check/uncheck the Enable Robust Exception Information in
the
Thanks,
will give your advice a go shortly
[EMAIL PROTECTED] 30/03/2006 6:29 pm
This seems to work for me:
cfif isDefined(error.rootCause.SQL)
SQL: #error.rootCause.SQL#br
cfelseif structKeyExists(error.rootCause.tagContext[1],SQL)
SQL:
Crash, bang, boom of a CF site.
I wonder what kind of traffic they get? Might be some job opps
opening up or maybe just some hosting opportunities maybe? ;)
Chad
-
The web site
Dam,
That really looks open to SQL Injection, someone should let them know.
Regards
Dale Fraser
-Original Message-
From: cfaussie@googlegroups.com [mailto:[EMAIL PROTECTED] On
Behalf Of Chad Renando
Sent: Friday, 31 March 2006 14:06 PM
To: cfaussie@googlegroups.com
Subject:
Just curious, not knowing much about sql injection...
Wouldn't the 'val()' function be sufficient protection in this case? Presuming
that the sql that was trying to be 'injected' was stored in cookie.person_id
then the val() function will effectively nullify it by returning zero... No?
ps.
Yes,
You are correct, but there will be other queries on the page, I'm sure.
What you need for SQL injection, a table name: users.dbo.person
So the error gives all that and more, so if there is another keyword search
page or similar, without vals or cfqueryparams away you go.
Moral of the
not debugging, more 'Enable Robust Exception Information' is checked.
[EMAIL PROTECTED] 31/03/2006 3:01:00 pm
Yes,
You are correct, but there will be other queries on the page, I'm sure.
What you need for SQL injection, a table name: users.dbo.person
So the error gives all that and more,