> As Mark pointed out, if you did have numeric inputs in your CFQUERY tag,
> those would still be vulnerable. If not, though, the rest of my statement
> still stands.
>
> Dave Watts, CTO, Fig Leaf Software
> http://www.figleaf.com/
Actually, I'm gonna pick on you again Dave and challenge this. (I'm hoping
to add to my wall)
If a someone is using MySQL, they have allowMultiQueries set to true and
have not changed the NO_BACKSLASH_ESCAPES from its default setting, the
example given would still be vulnerable to SQL injection. I set it up an
example locally just to make sure.
I created this MySQL proc:
CREATE PROCEDURE sp_test(input varchar(100))
BEGIN
select input;
END
Then call it with the following CFML (The contents of the var variable could
easily from from URL or FORM):
<cfset var = "Hello World\'); update links set active = ""yes""; -- ">
<cfquery name="test" datasource="foo">
call sp_test('#var#');
</cfquery>
You will notice that the input to the proc was enclosed in single ticks,
however SQL injection was still successful since MySQL allows for single
ticks to be escaped with a backslash and CF doesn't prevent that. (That
code updated all the records in my links table)
The OP didn't specify, but IF he is on another BDMS like MS SQL he would be
ok. however, I know MySQL is pretty common, and a lot of people run it in
allowMultiQueries mode.
~Brad
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309506
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
