RE: cfquery and cfstoredproc

Tue, 22 Jul 2008 16:29:19 -0700 

Dave,

I never disagree with you (usually a fools errand) but I want a
clarification. I think you might mean that this particular use is safe
because CF will escape the single quotes. But the code below is vulnerable
in exactly the same  as a CFQUERY.

As a test I created an SP

-------------------------
CREATE PROCEDURE dbo.sp_test
    @iObject varchar(200)
as

set nocount on

select @iObject AS item
------------------------------------

Then I ran the following code:

---------------------------------------

<cfquery name="test" datasource="test">

sp_test 'bob'; update coaches set name = 'Dave Watts' where coach_id = 1

</cfquery>
--------------------------------------
Both of these statements run and the coaches table was updated. 


 So, yes it's protected in this case (because of escaping) but if the values
were un sanitized integers it would be just as exposed as a regular query -
right? If it looked like this:


<cfquery name="test" datasource="test">

sp_test #bob_id# 

</cfquery>

I would be able to attack it I think. Probably not as easy to get the syntax
right but... Still possible.

Mark A. Kruger, CFG, MCSE
(402) 408-3733 ext 105
www.cfwebtools.com
www.coldfusionmuse.com
www.necfug.com

-----Original Message-----
From: Dave Watts [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, July 22, 2008 6:07 PM
To: CF-Talk
Subject: RE: cfquery and cfstoredproc

> What about a semi-colon?
> 
> Storedproc '#var1#','#var2#' ;  *other code*
> 
> Would the CFQUERY not allow this additional code to run?

It wouldn't allow any of the values after the stored procedure call
"storedproc" to run as code, because they would be placed in the input
parameters of the stored procedure. Essentially, this has the same effect as
parameterizing your query in CF.

Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/

Fig Leaf Software provides the highest caliber vendor-authorized instruction
at our training centers in Washington DC, Atlanta, Chicago, Baltimore,
Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309497
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Reply via email to