[thelist] Security Tip
Raymond Camden
jedimaster at macromedia.com
Tue Apr 3 12:54:06 CDT 2001
> If you put your SQL in a URL parameter, all someone has to do is
> change the
> URL to run whatever query they want to run on your database. In
> nearly all
> cases, this includes INSERT, UPDATE, and DELETE statements.. See
> where I'm
> going with this?
Or, let's say you pass an ID number, and you have sql that does this:
<CFQUERY ..>
update tblfoo
set hit = 1
where id = #URL.ID#
</CFQUERY>
Some DBs let you do multiple sql statements just by appending a ;, so I
could change ?x=5 to ?x=5;drop+tablename.
=======================================================================
Raymond Camden, Principal Spectra Compliance Engineer for Macromedia
Email : jedimaster at macromedia.com
ICQ UIN : 3679482
"My ally is the Force, and a powerful ally it is." - Yoda
More information about the thelist
mailing list