That's a nice list Isaac, but I'm curious about two things.
1) what is the "sort" versus "order by". I'm quite familiar with the order
by clause but I've never heard of a sort clause. Perhaps you mean something
else?
2) You say to not "put ANY user-supplied variables into the content property
of a dynamic filter (i.e. stmt.sqlFilter("column",form.x,"in"))" I can
understand the reasoning behind that, but that is a very common task. There
are lots of reasons to let the user order the data by various columns and
that should be a standard feature of most any tabular data display. So how
would you suggest that developers implement the feature? I personally would
have a built in list of columns that could be sorted by and then double
check on the server side to make sure that the chosen sort field is in the
allowable list before adding the filter. Do you have other suggestions?
Cheers,
Judah
On Sat, Sep 13, 2008 at 11:29 AM, s. isaac dealey <[EMAIL PROTECTED]> wrote:
> > Is is still possible to injection hack a site that is using the
> > REACTOR framework?
>
> If you're using it the way it was designed to be used, probably not.
>
> There's a short list of things you should avoid with DataFaucet on the
> wiki and probably a very similar list would apply with Reactor.
>
> Here's the list for DataFaucet:
> http://datafaucet.wikispaces.com/SQL+Injection
>
> Hopefully you should be able to extrapolate from that if you're doing
> anything with Reactor that might make you vulnerable. :)
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:312513
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
