Al Musella, DPM wrote: > Seeing as how this type of sql injection attack is succeeding so > much (even my favorite fishing website has been down for days due to > it (it is a .cfm site))... > how about changing cfquery so that by default, only ONE sql > statment can be sent.
That is a *very* bad idea since it would require CF to understand SQL. And not just SQL as the standard defines it, but every dialect implemented by every database. There is no way that CF would be able to reliably do that. If you want an example of how bad this would be just try and see what happens if you take one of your current datasources, go to advanced properties and unselect every operation except SELECT. Then run the following statements: <cfquery ...> -- x DROP TABLE x </cfquery> <cfquery ...> SELECT 'test some string ; DROP c' FROM x </cfquery> <cfquery ...> SET nocount on DROP TABLE x SET nocount off </cfquery> ColdFusion is a CFML engine. Everything that isn't CFML should be treated as opaque. (And the current 'feature' to limit SQL operations should be ripped out.) Jochem ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309700 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
