[thelist] The URL SemiColon Exploit
David Shadovitz
david_shadovitz at xontech.com
Mon Jan 21 11:39:03 CST 2002
.jeff wrote (many days ago):
this is easily solved in this instance by wrapping the variable with
the Val() function which will force the value to a number.
<cfquery name="foo" datasource="#bar#>
SELECT foo, bar FROM fubar WHERE rudy = #Val(url.rudy)#
</cfquery>
Just wanted to point out that you can also eliminate the danger (I
think) by using CFQUERYPARAM. That gets you the added bonus of re-using
the query's execution plan rather than having the RDBMS create the plan
each time the query is executed. In this case, the query would look
like:
WHERE rudy = <cfqueryparam value="#URL.rudy#"
cfsqltype="CF_SQL_INTEGER">
More info:
http://webforums.macromedia.com/coldfusion/messageview.cfm?catid=3&threadid=237563
Sorry if this was already mentioned. I'm still catching up.
-David
More information about the thelist
mailing list