Ian, I posted an example of this recently on my blog.
http://www.coldfusionmuse.com/index.cfm/2008/2/22/sql-injection-on-a-charact er-field The long and short is that different platforms allow you to escape single quotes differently and this technique can be used to get the right number of quotes into string for the purpose of injection... Best practice: Use cfqueryparam - there is no good reason NOT to do so (especially on CF8). -mark Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -----Original Message----- From: Ian Skinner [mailto:[EMAIL PROTECTED] Sent: Friday, March 14, 2008 5:51 PM To: CF-Talk Subject: SQL Injection I am presuming the those who should not know this already know this. So how does a nefarious person get around CF's single quote escaping to inject SQL code? I understand how the following are vulnerable to the basic hack of url.code=34' OR 1=1-- SELECT * FROM county WHERE county_cd = #url.code# OR SELECT * FROM county WHERE county_cd = '#preserveSingleQuotes(url.code)#' But how would it work in this code? Anything I try just ends up with doubled single quotes and rendered harmless. SELECT * FROM county WHERE county_cd = '#url.code#' P.S. I know the answer is to always use <cfqueryparam...>. I am just trying to completely understand the answer here. TIA Ian ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:301392 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
