[thelist] Security Tip

Joshua OIson joshua at alphashop.net
Tue Apr 3 12:59:46 CDT 2001


The quick fix to that one may be to wrap a Val() around those sorts of
queries.  That would make the code:

  update tblfoo
 set hit = 1
 where id = #Val(URL.ID)#

That code would be not prone to the sort of attack you mentioned.  I almost
always do that, but I was doing it for crash-proofness.  Now I have extra
motivation.  Thank you for the heads up.


----- Original Message -----
From: "Raymond Camden" <jedimaster at macromedia.com>
Subject: RE: [thelist] Security Tip

> Or, let's say you pass an ID number, and you have sql that does this:
> <CFQUERY ..>
> update tblfoo
> set hit = 1
> where id = #URL.ID#
> Some DBs let you do multiple sql statements just by appending a ;, so I
> could change ?x=5 to ?x=5;drop+tablename.

More information about the thelist mailing list