Radek,
The point is, without the cfqueryparam it doesn't really get there. The
passed user_id isn't bound in the query, so the ;{everything else} get's
processed as additional SQL statements. When the value is bound, then
the ;{and everything else} would actually be passed into the field
(since it isn't being processed by your SQL server as a statement, just
a value), failing the field definition and throwing an error.
Steve "Cutter" Blades
Adobe Certified Professional
Advanced Macromedia ColdFusion MX 7 Developer
_____________________________
http://blog.cutterscrossing.com
Radek Valachovic wrote:
> Okay what about this, for example column name ITEMOID has in DB maxlenght 15
> and it is numeric.
>
> Integer is -2,147,483,648 and 2,147,483,647 = 10 the point is 10 or 15
> doesnt matter.
>
> I will specify for ITEMOID in DB maxl = 15
>
> Example QUERY is
>
> SELECT location FROM item WHERE url.user_id = #url.user_id#
>
> URL gonna look like this example:
> http://mydomain.com/index.cfm?user_id=125456
>
> Now imagine the Hacker Code (Declare etc etc) will add to the end:
>
> http://mydomain.com/index.cfm?user_id=125456;DECLARE........
>
> How can it be processed when USER_ID in database is specified for LENGHT 15
> and USER_ID with Hacker code has lenght like 100?
>
> I guess u gonna gonna say that's why u have to use :
>
> SELECT location FROM item WHERE url.user_id = <cfqueryparam
> value="#url.user_id#" cfsqltype="CF_SQL_INTEGER">
>
> to validate it.
>
> I undestand that, but why it is not validated already when in DB it is
> specified lenght 15 and using this query:
>
> SELECT location FROM item WHERE url.user_id = #url.user_id# it should work
> and I have to use another validation in code using
>
> cfqueryparam?:
>
> SELECT location FROM item WHERE url.user_id = <cfqueryparam
> value="#url.user_id#" cfsqltype="CF_SQL_INTEGER">
>
> Thanks RAdek
>
>
> On Thu, Jul 24, 2008 at 2:21 PM, Adrian Lynch <[EMAIL PROTECTED]>
> wrote:
>
>> Whatever the length of the column in your DB.
>>
>> Adrian
>>
>> -----Original Message-----
>> From: Radek Valachovic [mailto:[EMAIL PROTECTED]
>> Sent: 24 July 2008 19:19
>> To: CF-Talk
>> Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
>>
>>
>> What would you suggest for this kind of thing:
>>
>> Select USERID
>> from users
>> where email = '#trim(arguments.email)#' and password =
>> '#trim(arguments.password)#'
>>
>>
>> Something like this?
>>
>> Select USERID
>> from users
>> where email = <cfqueryparam value="#trim(arguments.email)#"
>> cfsqltype="CF_SQL_VARCHAR" maxlength="?"> and password = <cfqueryparam
>> value="#trim(arguments.password)#" cfsqltype="CF_SQL_VARCHAR"
>> maxlength="?">
>>
>> I put Question marks to MAXLENGHT still thinking if I should specify it for
>> more security (but guessing lenght of emails someone can be rejected) or
>> can
>> it be without MAXLENGHT?
>>
>> Radek
>>
>>
>>
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309667
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
