It looks to me like a malicious user could stick damned near anything in there,
unfortunately.
If you're only going to put a single condition in there, I reckon the easiest
way to solve the problem would be to strip all spaces out of their string. In
this case you'd get the following:
Good case:
BaseWhere: "ShortDesc = LongDesc"
Executed query:
SELECT SKU,DeptID,ShortDesc,LongDesc
FROM Products
WHERE
ShortDesc=LongDesc AND
DeptID = #Attributes.DeptID#
AND ProductSKU = '#Attributes.ProductSKU#'
This would execute fine.
Bad case:
BaseWhere: "1=1; drop table products; select * from products where 1=1"
Executed query:
SELECT SKU,DeptID,ShortDesc,LongDesc
FROM Products
WHERE
1=1;droptableproducts;select*fromproductswhere1=1 AND
DeptID = #Attributes.DeptID#
AND ProductSKU = '#Attributes.ProductSKU#'
This would have an SQL error, not drop the products table.
You might want to tweak it. Also consider that their statements might contain
single quotes, and you may have to use PreserveSingleQuotes in your CF.
David Cummins
Seth Petry-Johnson wrote:
>
> This is a multi-part message in MIME format.
>
> ------=_NextPart_000_00C1_01BFFBFD.799EA140
> Content-Type: text/plain;
> charset="Windows-1252"
> Content-Transfer-Encoding: 7bit
>
> List,
>
> I have a query "module" (custom tag) that supports a user-defined "base
> WHERE clause" as a parameter. The query takes a number of pre-defined
> parameters that it uses to build a WHERE clause, but the "base where" allows
> the implementers of the query to tweak the results a bit. I'm worried about
> the potential for abuse, since in at least one instance this query will
> receive the base where clause data from the querystring or form data. What
> do I need to look out for to ensure that malicious users can not embed
> dangerous SQL statements into the FORM or URL data?
>
> Here's how it works on the page in question (unnecessary
> parameters/statements have been removed for brevity):
>
> <!--- set default for base where clause --->
> <CFPARAM NAME="URL.BaseWhere" DEFAULT="">
> <!--- set defaults for other query params --->
> <CFPARAM NAME="URL.DeptID" DEFAULT="">
> <CFPARAM NAME="URL.ProductSKU" DEFAULT="">
>
> <!--- filter dangerous characters from data??? --->
>
> <!--- run the query --->
> <CFMODULE TEMPLATE="my_query.cfm"
> BaseWhere="#URL.BaseWhere#"
> DeptID="#URL.DeptID#"
> ProductSKU="#URL.ProductSKU#">
>
> the resulting SQL statement looks a bit like this:
> <CFQUERY NAME="qryName">
> SELECT SKU,DeptID,ShortDesc,LongDesc
> FROM Products
> WHERE
> <CFIF Len(Attributes.BaseWhere)>
> #Attributes.BaseWhere# AND
> </CFIF>
> DeptID = #Attributes.DeptID#
> AND ProductSKU = '#Attributes.ProductSKU#'
> </CFQUERY>
>
> I don't know enough advanced SQL to know if this allows a malicious user
> could embed dangerous statements into the WHERE clause or not. Anyone have
> any pointers?
>
> Regards,
> Seth Petry-Johnson
> Argo Enterprise and Associates
> ------------------------------------------------------------------------------
> Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
> To Unsubscribe visit
>http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a
>message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
------------------------------------------------------------------------------
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
