[thelist] Security Tip

Raymond Camden jedimaster at macromedia.com
Tue Apr 3 13:04:41 CDT 2001

-doh- ! Sorry, my point had been to point out the problem _and_ provide a
fix. Thanks for covering for me, Joshua. :)

Raymond Camden, Principal Spectra Compliance Engineer for Macromedia

Email   : jedimaster at macromedia.com
ICQ UIN : 3679482

"My ally is the Force, and a powerful ally it is." - Yoda

> -----Original Message-----
> From: thelist-admin at lists.evolt.org
> [mailto:thelist-admin at lists.evolt.org]On Behalf Of Joshua OIson
> Sent: Tuesday, April 03, 2001 5:01 PM
> To: thelist at lists.evolt.org
> Subject: Re: [thelist] Security Tip
> Raymond,
> The quick fix to that one may be to wrap a Val() around those sorts of
> queries.  That would make the code:
> <CFQUERY ..>
>   update tblfoo
>  set hit = 1
>  where id = #Val(URL.ID)#
> That code would be not prone to the sort of attack you mentioned.
>  I almost
> always do that, but I was doing it for crash-proofness.  Now I have extra
> motivation.  Thank you for the heads up.

More information about the thelist mailing list