[thelist] The URL SemiColon Exploit
Scott Brady
evolt at scottbrady.net
Wed Jan 16 12:33:01 CST 2002
Dan Slater wrote:
> In case you didn't know, there's a way to pass any SQL Server command via
> the URL by simply adding a semicolon at the end of the address, followed
by
> the SQL command. Apparently it only works if you pass a URL parameter
> first. (example: mysite.com?thisVar=True)
Another option (in addition to the advice you've been given) since you're
using ColdFusion is to use cfqueryparam, which I believe is supposed to
prevent the semicolon exploit.
So, instead of this:
SELECT
item
FROM
tableName
WHERE
item_id = #item_id#
You'd do this (assuming item_id is an integer in this case):
SELECT
item
FROM
tableName
WHERE
item_id = <cfqueryparam value="#item_id#" cfsqltype="CF_SQL_INTEGER">
That should be compatible with Oracle, SQL Server, and Access 2000 (based on
my experience).
Scott
----------------------------------------------
Scott Brady
http://www.scottbrady.net/
More information about the thelist
mailing list