Re: cfqueryparam

S . Isaac Dealey Mon, 27 Jun 2005 10:42:13 -0700

>  >>Much simpler (but the same) meaning, is just that you
>  >>should NEVER


>>>have hashes inside CFQUERY tags, unless they are also
>>>inside
>>>CFQUERYPARAM tags.

> Beside the fact that use of CFQUERYPARAM may make queries
> more efficient,
> the main advantage is to prevent SQL injection.
> But what if one uses an Access database ? AFAIK, SQL
> injection uses multiple SQL statements,
> but since multiple SQL statements are not supported in
> Access datasources, is
> CFQUERYPARAM so important with Access ?

Well... in theory cfqueryparam should still make those queries faster
even when using Access... but entirely asside from the performance
issue, sql injection doesn't _need_ to use multiple sql statements...
here's an example:

<cfquery ...>
        delete * from mytable
        where mycolumn = #url.x#
</cfquery>

And the simple sql injection attack for this page is:

page.cfm?x=1 or 1=1

Of course the browser or other http engine will need to urlencode the
value "1 or 1=1" so that the spaces and the equal sign don't mangle
the url, however, as far as I know MS Access does support the
statement "1=1" and I know it supports the or keyword in the where
clause, so the end result would be that the Access driver will attempt
to delete every record in that table. Foreign key constraints may
prevent the deletion of some of them, but without a cftransaction you
may still lose extra records. Much better to just use the
cfqueryparam.

s. isaac dealey   954.522.6080
new epoch : isn't it time for a change?

add features without fixtures with
the onTap open source framework

http://www.fusiontap.com
http://coldfusion.sys-con.com/author/4806Dealey.htm




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Logware (www.logware.us): a new and convenient web-based time tracking 
application. Start tracking and documenting hours spent on a project or with a 
client with Logware today. Try it for free with a 15 day trial account.
http://www.houseoffusion.com/banners/view.cfm?bannerid=67

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:210639
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54

Re: cfqueryparam

Reply via email to