OK thanks for the pointers all, I better roll my sleeves up and start editing before I get done...
On 10 Apr 2009, at 18:21, "Brad Wood" <b...@bradwood.com> wrote: Using MS SQL the code below would be safe as long as all your parameters are strings and encased in single quotes since the cfquery tag will automatically escape any single quotes that exist in the #url.uid" variable. If you were to pass in a numeric value to the stored procedure which did not have single ticks around it, you would be vulnerable again even though it is a stored proc call. If it's all the same to you, I would recommend using the cfstoreproc tag to call your procedure. It allows for the cfprocparam tag for your parameters which can optionally validate your inputs' data type as well. (just like cfqueryparam does) ~Brad ----- Original Message ----- From: "Matthew Allen" <a.matthe...@yahoo.com> To: "cf-talk" <cf-talk@houseoffusion.com> Sent: Friday, April 10, 2009 1:04 PM Subject: Re: Question about hack OK point taken, not safe with MySQL but fine with MSSQL? I just need to know if I should start working on my old MS SQL codes, so far none have suffered with injection attacks it might be by sheer luck or maybe all is well with it as it is on a MS SQL server, right? Not necessarily. With the proper configuration of MySQL (multiple statements allowed, and \ escaping single quotes) your example below could be hacked. Brad ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321516 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
