Well thats the thing, I know I should use cfqueryparam but the quoted string wont let commands through
I made a test table and tried to hack it (with something that wouldnt delete but would prove sql injection) http://localhost/test.cfm?name=rick%20or%201=1 etc, but query 2 will just return an empty set with any injection attack I tried (using CF7 and MSSQL) Query 3 is obviously the wide open one <cfparam name="url.name" default=""/> <cfquery name="test1" datasource="pubs"> select * from dropme </cfquery> <cfdump var="#test1#"/> <cfquery name="test2" datasource="pubs"> select * from dropme where Lname='#url.name#' </cfquery> <cfdump var="#test2#"/> <cfquery name="test3" datasource="pubs"> select * from dropme where Lname=#url.name# </cfquery> <cfdump var="#test3#"/> I guess at the end of the day I'd use queryparam on everything, but I'd still like to see a quoted string break with injection On 8/8/07, Peterson, Chris <[EMAIL PROTECTED]> wrote: > Are you kidding??? > > I just replace form.lastname with: " test'; DROP TABLE table; " > > Poof, your data'z are gone > > Or, if you really wanna get tricky and someone has debugging turned on, > or you can guess field / table names: > > Lets say you have a fName and lName column outputting a list, and I can > figure that out > > Now I replace form.lastname with this: " test'; SELECT > credit_card_num as fName, expireDate as lName FROM creditCards; " > > Now instead of seeing a firstname / lastname directory, I see a list of > all your credit cards in the database =) > > ALWAYS use cfqueryparam, or clean the crap out of any incoming variables > to ensure they are not being exploited. > > > Chris Peterson > Gainey IT > Adobe Certified Advanced Coldfusion Developer > > -----Original Message----- > From: Rick Schmitty [mailto:[EMAIL PROTECTED] > Sent: Wednesday, August 08, 2007 2:57 PM > To: CF-Talk > Subject: cfquery: quotes vs queryparam > > Is there anyway for someone to hack a quoted query? > > <cfquery> > select * from table where name='#form.lastname#' > </cfquery> > > vs > > <cfquery> > select * from table where name=<cfqueryparam cfsqltype="cf_sql_varchar" > maxlength="255" value="#form.lastname#"/> </cfquery> > > > Seems anything I throw at the quoted query gets escaped correctly... > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Enterprise web applications, build robust, secure scalable apps today - Try it now ColdFusion Today ColdFusion 8 beta - Build next generation apps Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:285744 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
