Re: coldfusion sql injection

Dan Plesse Wed, 23 Aug 2006 22:50:03 -0700

I precompile everything. No DSN needed and since cfquery is serializable I
make a unique backup copy of tables for fun.


Example application.cfm

<cfif NOT isdefined("application.sqlserver_connection") OR
application.sqlserver_connection.isClosed() EQ "YES">

 <cfset application.insert_mailiglist =
application.sqlserver_connection.prepareStatement("INSERT INTO mailinglist
(Email,USER_NAME,PASSWORD,date_added,Days_Remaining,date_end,Status,Validated,Delivery)

                                                VALUES
(?,?,?,?,?,?,?,?,?);")>

</cfif>

Some CFC

<cfset success = application.insert_mailiglist.executeUpdate()>

thats it!




On 8/23/06, Jochem van Dieten <[EMAIL PROTECTED]> wrote:
>
> Russ wrote:
> > So there's the question.  Can someone provide an example of a working
> sql
> > injection attack?
>
> Plenty have been posted in this thread. Even more are in the archives. And
> if that isn't enough, check the archives of the penetration-testing
> securityfocus mailinglist.
>
> Jochem
>
> 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting,
up-to-date ColdFusion information by your peers, delivered to your door four 
times a year.
http://www.fusionauthority.com/quarterly

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:250828
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

Re: coldfusion sql injection

Reply via email to