Matt, Why are you not using cfwqueryparam in the cf code below? Do you have a good reason not to do so?
-mark Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -----Original Message----- From: Matthew Allen [mailto:a.matthe...@yahoo.com] Sent: Friday, April 10, 2009 1:05 PM To: cf-talk Subject: Re: Question about hack OK point taken, not safe with MySQL but fine with MSSQL? I just need to know if I should start working on my old MS SQL codes, so far none have suffered with injection attacks it might be by sheer luck or maybe all is well with it as it is on a MS SQL server, right? > Not necessarily. With the proper configuration of MySQL (multiple > statements allowed, and \ escaping single quotes) your example below > could be hacked. > >Brad > > ----- Original Message ----- > From: "Matthew Allen" <a.matthe...@yahoo.com> > To: "cf-talk" <cf-talk@houseoffusion.com> > Sent: Friday, April 10, 2009 12:25 PM > Subject: Re: Question about hack > > > > > > To be more precise, would the code below prevent an injection > attack? > > Store proc: > > ....... > > @uid uniqueidentifier > > AS > > BEGIN > > SELECT ID,column1, column2..etc > > FROM tbltable > > WHERE UID = @uid > > END > > > > CF Code: > > <cfquery name="doStuff" datasource="application.DSN"> EXEC > > usp_getSomeData @param = '#url.uid#' > > </cfquery> > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321513 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
