[thelist] Security Tip
Joshua OIson
joshua at alphashop.net
Tue Apr 3 12:59:46 CDT 2001
Raymond,
The quick fix to that one may be to wrap a Val() around those sorts of
queries. That would make the code:
<CFQUERY ..>
update tblfoo
set hit = 1
where id = #Val(URL.ID)#
</CFQUERY>
That code would be not prone to the sort of attack you mentioned. I almost
always do that, but I was doing it for crash-proofness. Now I have extra
motivation. Thank you for the heads up.
-joshua
----- Original Message -----
From: "Raymond Camden" <jedimaster at macromedia.com>
Subject: RE: [thelist] Security Tip
> Or, let's say you pass an ID number, and you have sql that does this:
>
> <CFQUERY ..>
> update tblfoo
> set hit = 1
> where id = #URL.ID#
> </CFQUERY>
>
> Some DBs let you do multiple sql statements just by appending a ;, so I
> could change ?x=5 to ?x=5;drop+tablename.
More information about the thelist
mailing list