If you spent more time securing your variables then it wouldnt be much of a problem.. E.G if you create a database field lname char(50), in CF check the length before passing that variable to your CFQUERY.. There's isnumeric() to check for numbers, there's ways to help protect yourself from this without going to the extreme that you suggest > > ----- Original Message ----- > From: "Al Musella, DPM" <[EMAIL PROTECTED]> > To: "CF-Talk" <cf-talk@houseoffusion.com> > Sent: Friday, July 25, 2008 9:04 AM > Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben > Forta > > >> Ben, >> Seeing as how this type of sql injection attack is succeeding so >> much (even my favorite fishing website has been down for days due to >> it (it is a .cfm site))... >> how about changing cfquery so that by default, only ONE sql >> statment can be sent. Let us override that with a parameter in >> cfquery or a cfprocessing driective type of thing in our application.cfm.. >> >> I doubt many people use multiple sql statements in one cfquery, and >> those that do are probably advanced enough to know to add the >> parameter for allowing it.. >> >> You can call this enhancement request cf_trainingWheels >> >> >> How many people out there group together (intentionally) multiple sql >> statements in one cfquery? (Like "select email from users where >> id=1; drop table users") >> >> Al >> >> >> >> >> >> > >
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309702 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
