Ok... so even if its in HEX format, it still will not get executed? That's good to know. So I do not have to do an if statement anymore the cfqp will result in the hex not being executed.
Thanks, Larry >No it won't. The value of a cfqp doesn't get executed unless you >specifically execute it in your SQL: > ><cfquery> > EXEC(<cfqueryparam value="Dodgy SQL">) ></cfquery> > >Adrian >Build a database of ColdFusion errors at http://cferror.org/ > >For the last few months, some websites I run as well as some other websites >for companies I use to work for have had sql statements meant to do sql >injection encoded in a hex format and used in the URL paramaters. In the >HEX, if you change it to ASCII Text, you can see the SQL code. The SQL code >contains exec() as well as some other statements. It sounds from what your >saying, that the HEX would be sent to the DB and the code run? My >understanding from talking to my IT director that HEX can be run by the >database if sent to it. I was just trying to find out if the HEX string was >passed into the <cfqueryparam> and the <cfqueryparam> was varchar, would it >then be passed to the database where the string would be run effectively >doing a SQL injection attack? > >Hope I am making sense. > >Thanks, > >Larry ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-newbie/message.cfm/messageid:4087 Subscription: http://www.houseoffusion.com/groups/cf-newbie/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.15
