>>
>> Use cfqueryparam around your variables :-)
>> Otherwise sooner or later someone will enter
>> mytitle';drop all;commit;
>> as a book title.
>
> I have an issue with people using cfqueryparam for this reason.
>
> You should be doing data validation long before you hit the query
But even if you validate data before you hit the query, you still need
the cfqueryparam against SQL injection attacks. Not all databases use
just the single quote as string delimiter. Many databases have escape
characters that escape the next character. Combinations of those make
many databases vulnerable in subtle ways that are database dependent.
The only way to protect against that is using cfqueryparam. With
cfqueryparam escaping is done by the driver (or the protocol) and
since that driver is database dependent you can reasonably expect to
know how the database behaves.
> Incidently, what you suggest above with the drop/commit in the text
> won't work in this instance. What you will wind up with is a book
> title of "mytitle';drop all;commit;" as CF will automatically
> escape the single quote, so that your insert text will be
> 'mytitle'';drop all;commit;' This is a prefectly valid SQL statement.
So we just insert "mytitle\';delete from books;commit;". CF escapes
that to "mytitle\'';delete from books;commit;" and in MySQL the
backslash negates the first single quote. But other databases behave
differently so you can't handle this in code in a portable way except
by using cfqueryparam.
And don't think that unselecting the "delete" checkbox in the CF
Administrator will protect you from this example.
Jochem
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
