No it won't. The value of a cfqp doesn't get executed unless you
specifically execute it in your SQL:
<cfquery>
EXEC(<cfqueryparam value="Dodgy SQL">)
</cfquery>
Adrian
Build a database of ColdFusion errors at http://cferror.org/
-----Original Message-----
From: Larry Schaberg
Sent: 28 October 2008 14:46
To: cf-newbie
Subject: Re: Question on cfqueryparam CFMX7 and HEX
For the last few months, some websites I run as well as some other websites
for companies I use to work for have had sql statements meant to do sql
injection encoded in a hex format and used in the URL paramaters. In the
HEX, if you change it to ASCII Text, you can see the SQL code. The SQL code
contains exec() as well as some other statements. It sounds from what your
saying, that the HEX would be sent to the DB and the code run? My
understanding from talking to my IT director that HEX can be run by the
database if sent to it. I was just trying to find out if the HEX string was
passed into the <cfqueryparam> and the <cfqueryparam> was varchar, would it
then be passed to the database where the string would be run effectively
doing a SQL injection attack?
Hope I am making sense.
Thanks,
Larry
>What do you mean by 'execute' ?
>
>Can you give me a specific example of what you are talking about?
>
>Dave
>
>Yes, so it sounds like it would go through to the database and execute if I
>am understanding correctly?
>
>etc.
>>If it does, then I do not need to do this anymore.
>>
>>
>>Thanks in advance.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;207172674;29440083;f
Archive:
http://www.houseoffusion.com/groups/cf-newbie/message.cfm/messageid:4086
Subscription: http://www.houseoffusion.com/groups/cf-newbie/subscribe.cfm
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.15
