This is a multi-part message in MIME format.
------=_NextPart_000_00C1_01BFFBFD.799EA140
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: 7bit
List,
I have a query "module" (custom tag) that supports a user-defined "base
WHERE clause" as a parameter. The query takes a number of pre-defined
parameters that it uses to build a WHERE clause, but the "base where" allows
the implementers of the query to tweak the results a bit. I'm worried about
the potential for abuse, since in at least one instance this query will
receive the base where clause data from the querystring or form data. What
do I need to look out for to ensure that malicious users can not embed
dangerous SQL statements into the FORM or URL data?
Here's how it works on the page in question (unnecessary
parameters/statements have been removed for brevity):
<!--- set default for base where clause --->
<CFPARAM NAME="URL.BaseWhere" DEFAULT="">
<!--- set defaults for other query params --->
<CFPARAM NAME="URL.DeptID" DEFAULT="">
<CFPARAM NAME="URL.ProductSKU" DEFAULT="">
<!--- filter dangerous characters from data??? --->
<!--- run the query --->
<CFMODULE TEMPLATE="my_query.cfm"
BaseWhere="#URL.BaseWhere#"
DeptID="#URL.DeptID#"
ProductSKU="#URL.ProductSKU#">
the resulting SQL statement looks a bit like this:
<CFQUERY NAME="qryName">
SELECT SKU,DeptID,ShortDesc,LongDesc
FROM Products
WHERE
<CFIF Len(Attributes.BaseWhere)>
#Attributes.BaseWhere# AND
</CFIF>
DeptID = #Attributes.DeptID#
AND ProductSKU = '#Attributes.ProductSKU#'
</CFQUERY>
I don't know enough advanced SQL to know if this allows a malicious user
could embed dangerous statements into the WHERE clause or not. Anyone have
any pointers?
Regards,
Seth Petry-Johnson
Argo Enterprise and Associates
------=_NextPart_000_00C1_01BFFBFD.799EA140
Content-Type: application/x-pkcs7-signature;
name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="smime.p7s"
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIII+DCCAqsw
ggIUoAMCAQICAwK37jANBgkqhkiG9w0BAQQFADCBlDELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdl
c3Rlcm4gQ2FwZTEUMBIGA1UEBxMLRHVyYmFudmlsbGUxDzANBgNVBAoTBlRoYXd0ZTEdMBsGA1UE
CxMUQ2VydGlmaWNhdGUgU2VydmljZXMxKDAmBgNVBAMTH1BlcnNvbmFsIEZyZWVtYWlsIFJTQSAx
OTk5LjkuMTYwHhcNMDAwNjA5MDQyMTIzWhcNMDEwNjA5MDQyMTIzWjBJMR8wHQYDVQQDExZUaGF3
dGUgRnJlZW1haWwgTWVtYmVyMSYwJAYJKoZIhvcNAQkBFhdzZXRoQGFyZ29lbnRlcnByaXNlLmNv
bTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxA83MlfgaZLW39mrcBRBfRdRa9/UPl6M26qE
caUhQcMW66UyxV/Xi7WK0uKqPpYoCyo327ZN92tUFMZNI5kZC6VATN3reeWio2bffeC0bwm4vKzQ
fPXnOz7dCOdcrzWZL+Dt/Qf+5VxoMsDtbiwUDg3dASSIWJFFuXNYfo1fyh0CAwEAAaNVMFMwIgYD
VR0RBBswGYEXc2V0aEBhcmdvZW50ZXJwcmlzZS5jb20wDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAW
gBSIq/Fgg2ZV9ORYx0YdwGG9I9fDjDANBgkqhkiG9w0BAQQFAAOBgQAn4BFAYqTTdeMfQ3T8vPaW
W+BLJ02KZX4QMU0iWjf7b2MYYqb0BxwZcr+r5UmT99nGRPVoVKS/OgikLXHm98wPEy8Ye9LZXTTN
XF43kwMGPDG2G6urhJvpXI98FFK9biRJzZ28GBqLOPw/vHB57gk8J9YeyRSxWqzTgkwsJSFvEzCC
AxQwggJ9oAMCAQICAQswDQYJKoZIhvcNAQEEBQAwgdExCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxX
ZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEaMBgGA1UEChMRVGhhd3RlIENvbnN1bHRp
bmcxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1Ro
YXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTErMCkGCSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1h
aWxAdGhhd3RlLmNvbTAeFw05OTA5MTYxNDAxNDBaFw0wMTA5MTUxNDAxNDBaMIGUMQswCQYDVQQG
EwJaQTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRQwEgYDVQQHEwtEdXJiYW52aWxsZTEPMA0GA1UE
ChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29u
YWwgRnJlZW1haWwgUlNBIDE5OTkuOS4xNjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAs2la
l9TQFgt6tcVd6SGcI3LNEkxL937Px/vKciT0QlKsV5Xje2F6F4Tn/XI5OJS06u1lp5IGXr3gZfYZ
u5R5dkw+uWhwdYQc9BF0ALwFLE8JAxcxzPRB1HLGpl3iiESwiy7ETfHw1oU+bPOVlHiRfkDpnNGN
FVeOwnPlMN5G9U8CAwEAAaM3MDUwEgYDVR0TAQH/BAgwBgEB/wIBADAfBgNVHSMEGDAWgBRyScJz
NMZV9At2coF+d/SH58ayDjANBgkqhkiG9w0BAQQFAAOBgQBrxlnpMfrptuyxA9jfcnL+kWBI6sZV
3XvwZ47GYXDnbcKlN9idtxcoVgWL3Vx1b8aRkMZsZnET0BB8a5FvhuAhNi3B1+qyCa3PLW3Gg1Kb
+7v+nIed/LfpdJLkXJeu/H6syg1vcnpnLGtz9Yb5nfUAbvQdB86dnoJjKe+TCX5V3jCCAy0wggKW
oAMCAQICAQAwDQYJKoZIhvcNAQEEBQAwgdExCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJu
IENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEaMBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAm
BgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQ
ZXJzb25hbCBGcmVlbWFpbCBDQTErMCkGCSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhh
d3RlLmNvbTAeFw05NjAxMDEwMDAwMDBaFw0yMDEyMzEyMzU5NTlaMIHRMQswCQYDVQQGEwJaQTEV
MBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0
ZSBDb25zdWx0aW5nMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQw
IgYDVQQDExtUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNv
bmFsLWZyZWVtYWlsQHRoYXd0ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANRp19Sw
lGRbcelH2AxRtupykbCEXn0tDY97Et+FJXUodDpCLGMnn5V7S+9+GYcdhuqj3bnOlmQawhRuRKx8
5o/oTQ9xH0A4pgCjh3j2+ZSGXq3qwF5269kUo11uenwMpUtVfwYZKX+emibVars4JAhqmMex2qOY
kf152+VaxBy5AgMBAAGjEzARMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAx+yS
fk749ZalZ2IqpPBNEWDQb41gWGGsJrtSNVwIzzD7qEqWih9iQiOMFw/0umScF6xHKd+dmF7SbGBx
XKKs3Hnj524ARx+1DSjoAp3kmv0T9KbZfLH43F8jJgmRgHPQFBveQ6mDJfLmnC8Vyv6mq4oHdYsM
3VGEa+T40c53ooExggHCMIIBvgIBATCBnDCBlDELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rl
cm4gQ2FwZTEUMBIGA1UEBxMLRHVyYmFudmlsbGUxDzANBgNVBAoTBlRoYXd0ZTEdMBsGA1UECxMU
Q2VydGlmaWNhdGUgU2VydmljZXMxKDAmBgNVBAMTH1BlcnNvbmFsIEZyZWVtYWlsIFJTQSAxOTk5
LjkuMTYCAwK37jAJBgUrDgMCGgUAoH0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG
9w0BCQUxDxcNMDAwODAyMDExNDI3WjAeBgkqhkiG9w0BCQ8xETAPMA0GCCqGSIb3DQMCAgEoMCMG
CSqGSIb3DQEJBDEWBBSpNOjlDKIl4EMX6D9KH9J1UxMtbzANBgkqhkiG9w0BAQEFAASBgJim2Vcu
w0gDHwTCV4MaKKqorxPqAbVViK1SNhP29UC9pFic3Ovw7+V7kuyhC4FItWp56qzNfCU7omDfXlna
qAdyHfk+w+ycxBK5TcMEgxJzOAuKTH6V3ujNvGrUqPgN31vFEUuRYytWK+JjkA2HZAdYhlOgB6hw
Gmm+5Fu40G9PAAAAAAAA
------=_NextPart_000_00C1_01BFFBFD.799EA140--
------------------------------------------------------------------------------
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
