Ben,
Seeing as how this type of sql injection attack is succeeding so
much (even my favorite fishing website has been down for days due to
it (it is a .cfm site))...
how about changing cfquery so that by default, only ONE sql
statment can be sent. Let us override that with a parameter in
cfquery or a cfprocessing driective type of thing in our application.cfm..
I doubt many people use multiple sql statements in one cfquery, and
those that do are probably advanced enough to know to add the
parameter for allowing it..
You can call this enhancement request cf_trainingWheels
How many people out there group together (intentionally) multiple sql
statements in one cfquery? (Like "select email from users where
id=1; drop table users")
Al
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309696
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
