Radek, The point is, without the cfqueryparam it doesn't really get there. The passed user_id isn't bound in the query, so the ;{everything else} get's processed as additional SQL statements. When the value is bound, then the ;{and everything else} would actually be passed into the field (since it isn't being processed by your SQL server as a statement, just a value), failing the field definition and throwing an error.
Steve "Cutter" Blades Adobe Certified Professional Advanced Macromedia ColdFusion MX 7 Developer _____________________________ http://blog.cutterscrossing.com Radek Valachovic wrote: > Okay what about this, for example column name ITEMOID has in DB maxlenght 15 > and it is numeric. > > Integer is -2,147,483,648 and 2,147,483,647 = 10 the point is 10 or 15 > doesnt matter. > > I will specify for ITEMOID in DB maxl = 15 > > Example QUERY is > > SELECT location FROM item WHERE url.user_id = #url.user_id# > > URL gonna look like this example: > http://mydomain.com/index.cfm?user_id=125456 > > Now imagine the Hacker Code (Declare etc etc) will add to the end: > > http://mydomain.com/index.cfm?user_id=125456;DECLARE........ > > How can it be processed when USER_ID in database is specified for LENGHT 15 > and USER_ID with Hacker code has lenght like 100? > > I guess u gonna gonna say that's why u have to use : > > SELECT location FROM item WHERE url.user_id = <cfqueryparam > value="#url.user_id#" cfsqltype="CF_SQL_INTEGER"> > > to validate it. > > I undestand that, but why it is not validated already when in DB it is > specified lenght 15 and using this query: > > SELECT location FROM item WHERE url.user_id = #url.user_id# it should work > and I have to use another validation in code using > > cfqueryparam?: > > SELECT location FROM item WHERE url.user_id = <cfqueryparam > value="#url.user_id#" cfsqltype="CF_SQL_INTEGER"> > > Thanks RAdek > > > On Thu, Jul 24, 2008 at 2:21 PM, Adrian Lynch <[EMAIL PROTECTED]> > wrote: > >> Whatever the length of the column in your DB. >> >> Adrian >> >> -----Original Message----- >> From: Radek Valachovic [mailto:[EMAIL PROTECTED] >> Sent: 24 July 2008 19:19 >> To: CF-Talk >> Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... >> >> >> What would you suggest for this kind of thing: >> >> Select USERID >> from users >> where email = '#trim(arguments.email)#' and password = >> '#trim(arguments.password)#' >> >> >> Something like this? >> >> Select USERID >> from users >> where email = <cfqueryparam value="#trim(arguments.email)#" >> cfsqltype="CF_SQL_VARCHAR" maxlength="?"> and password = <cfqueryparam >> value="#trim(arguments.password)#" cfsqltype="CF_SQL_VARCHAR" >> maxlength="?"> >> >> I put Question marks to MAXLENGHT still thinking if I should specify it for >> more security (but guessing lenght of emails someone can be rejected) or >> can >> it be without MAXLENGHT? >> >> Radek >> >> >> > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309667 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4