>
> http://192.168.0.100/experiments/temp/queries.cfm?user_id='1' << note the
> single quotes
It should be without quotes here.
> SQL =
> select first_name
> from users
> where user_id='''1''' << note the extra doubled up single quotes
Without quotes that would be:
where user_id='1'
which is safe.
> http://192.168.0.100/experiments/temp/queries.cfm?user_id='h4ck3r\';%20DROP%
> 20TABLE%20temp;%20COMMIT;%20--'
Again without the extra quotes.
> SQL =
> select first_name
> from users
> where user_id='''h4ck3r\''; DROP TABLE temp; COMMIT; --''' << note
> the doubled up single quotes still
That will be sent to the database as:
where user_id='h4ck3r\''; DROP TABLE temp; COMMIT; --'
which is not safe in all databases.
> The table is still there. Of course this is on SQL2000. So that may be a
> difference.
Does SQL2000 use C-style escaping?
> But it's CF that's doubling up the quotes, not the database.
And the backslash, which is not doubled by CF, negates the first
of these quotes in databases that use C-style escaping:
http://192.168.0.100/experiments/temp/queries.cfm?user_id=h4ck3r\';DROP%20TABLE%20temp;%20COMMIT;%20--'
Jochem
--
I don't get it
immigrants don't work
and steal our jobs
- Loesje
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]