[thelist] Security Tip
Raymond Camden
jedimaster at macromedia.com
Tue Apr 3 13:04:41 CDT 2001
-doh- ! Sorry, my point had been to point out the problem _and_ provide a
fix. Thanks for covering for me, Joshua. :)
=======================================================================
Raymond Camden, Principal Spectra Compliance Engineer for Macromedia
Email : jedimaster at macromedia.com
ICQ UIN : 3679482
"My ally is the Force, and a powerful ally it is." - Yoda
> -----Original Message-----
> From: thelist-admin at lists.evolt.org
> [mailto:thelist-admin at lists.evolt.org]On Behalf Of Joshua OIson
> Sent: Tuesday, April 03, 2001 5:01 PM
> To: thelist at lists.evolt.org
> Subject: Re: [thelist] Security Tip
>
> Raymond,
>
> The quick fix to that one may be to wrap a Val() around those sorts of
> queries. That would make the code:
>
> <CFQUERY ..>
> update tblfoo
> set hit = 1
> where id = #Val(URL.ID)#
> </CFQUERY>
>
> That code would be not prone to the sort of attack you mentioned.
> I almost
> always do that, but I was doing it for crash-proofness. Now I have extra
> motivation. Thank you for the heads up.
More information about the thelist
mailing list