I haven't been following this intensive discussion completely,
but I'm curious as to what the end result of your conversion is...
Does this mean using cfqueryparam for form data is not 100%
foolproof against SQL injection and we need to use cfqueryparam
along with HTMLEditFormat and ClearURL, etc., to be "safer"?
Rick
-----Original Message-----
From: Jochem van Dieten [mailto:[EMAIL PROTECTED]
Sent: Wednesday, July 28, 2004 5:28 AM
To: CF-Talk
Subject: Re: A script to Prevent SQL Injection: feedback/suggestions?
Matt Robertson wrote:
>> In both cases, I think you are better of with HTMLEditFormat() /
>> HTMLCodeFormat().
>
> Interesting. I ran that same code, removed the call to CodeCleaner
> and changed the next line to
>
> <cfset variables.Cleanurl=htmleditformat(variables.ThisURLVar)>
>
> and got the same result: The difference in the code was detected.
You are using CleanURL to detect differences in strings before
and after cleaning. If there is a difference, you reject the post
completely. That is a very safe way of using CleanURL, but I
doubt that is the way it is used typically.
People will use these types of cleaners to scrub unwanted
elements from the input and let whatever comes out of the
scrubbing be processed further, for instance inserted in the
database. In that case you can design your attack in such a case
that you don't submit the string you want in the database, but
you submit a string that will be transformed to the string you want.
Preventing that pretty much means escaping/removing all <, >, ',
\ and ", at which point just using HTMLEditFormat() or
HTMLCodeFormat() is the easy option.
Jochem
[Todays Threads]
[This Message]
[Subscription]
[Fast Unsubscribe]
[User Settings]
[Donations and Support]
- RE: A script to Prevent SQL Injection: feedback... Tangorre, Michael
- RE: A script to Prevent SQL Injection: feedback... Dave Watts
- RE: A script to Prevent SQL Injection: feedback... Robertson-Ravo, Neil (RX)
- Re: A script to Prevent SQL Injection: feed... Matt Robertson
- Re: A script to Prevent SQL Injection: ... Jochem van Dieten
- Re: A script to Prevent SQL Injecti... Matt Robertson
- Re: A script to Prevent SQL Inj... Jochem van Dieten
- Re: A script to Prevent SQ... Matt Robertson
- Re: A script to Preven... Jochem van Dieten
- Re: A script to Preven... Rick Faircloth
- Re: A script to Preven... Jochem van Dieten
- RE: A script to Preven... Rick Faircloth
- Re: A script to Prevent SQL Injection: ... Andrew Grosset
- Re: A script to Prevent SQL Injecti... Matt Robertson
- Re: A script to Prevent SQL Inj... Andrew Grosset
- RE: A script to Prevent SQL Injection: feedback... Trevor Holm-Laursen
- RE: A script to Prevent SQL Injection: feedback... Burns, John D