[thelist] The URL SemiColon Exploit

David Shadovitz david_shadovitz at xontech.com
Mon Jan 21 11:39:03 CST 2002

.jeff wrote (many days ago):

  this is easily solved in this instance by wrapping the variable with
the Val() function which will force the value to a number.

  <cfquery name="foo" datasource="#bar#>
    SELECT foo, bar FROM fubar WHERE rudy = #Val(url.rudy)#

Just wanted to point out that you can also eliminate the danger (I
think) by using CFQUERYPARAM.  That gets you the added bonus of re-using
the query's execution plan rather than having the RDBMS create the plan
each time the query is executed.  In this case, the query would look

WHERE rudy = <cfqueryparam value="#URL.rudy#"

More info:

Sorry if this was already mentioned.  I'm still catching up.


More information about the thelist mailing list