I'm reasonably sure it would stop them. The only thing I wonder is if there's a
bit of SQL they could put in there that would make it go excrutiatingly slow...
thoughts? Possibly they could try putting new table names in there to guess how
your database is structured.
Maybe an array of conditions, where each condition is individually made safe,
and then you loop them with ands or ors in between?
David Cummins
Seth Petry-Johnson wrote:
>
> > It looks to me like a malicious user could stick damned near anything in
> there,
> > unfortunately.
> >
> > If you're only going to put a single condition in there, I reckon the
> easiest
> > way to solve the problem would be to strip all spaces out of their string.
>
> No can do, since there is already a situation where I pass in multiple
> conditions.
>
> If I just dropped (or aborted upon the discovery of) the semi color
> character, would that effectively prevent users from "chaining" commands
> together? I'm not interested in preventing malformed SQL statements (a
> CFCATCH block will catch DB errors), I'm just interested in preventing users
> from exploiting this system.
>
> Thanks for the thoughts,
> Seth
>
> ------------------------------------------------------------------------------
> Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
> To Unsubscribe visit
>http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a
>message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
------------------------------------------------------------------------------
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
