http://192.168.0.100/experiments/temp/queries.cfm?user_id='1' << note the
single quotes
In the Debugging, I get this:
getuser (Records=0, Time=0ms)
SQL =
select first_name
from users
where user_id='''1''' << note the extra doubled up single quotes
Then I tried the code you had below:
http://192.168.0.100/experiments/temp/queries.cfm?user_id='h4ck3r\';%20DROP%
20TABLE%20temp;%20COMMIT;%20--'
getuser (Records=0, Time=0ms)
SQL =
select first_name
from users
where user_id='''h4ck3r\''; DROP TABLE temp; COMMIT; --''' << note
the doubled up single quotes still
The table is still there. Of course this is on SQL2000. So that may be a
difference. But it's CF that's doubling up the quotes, not the database. Do
you have a development Oracle server you could try this on? I'm very curious
if there is a difference.
Steve Nelson
-----Original Message-----
From: Jochem van Dieten [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 24, 2004 3:34 AM
To: CF-Talk
Subject: RE: why are procedures better? (was: RE: Securing CF Apps.)
This type of coding can be insecure. Just imagine what would happen in
Oracle, MySQL or any other database that use C-style escaping when
combined with:
<cfset url.user_id = "h4ck3r\'; DROP TABLE users; COMMIT; --">
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
