All major languages with abstracted DBMS layers have bind parameters, most of which provide similar security and control (some with greater control) to cfqueryparam. Perl's DBI and PHP's DBO come to mind.
Anybody getting hit with SQL injection these days is very likely making a silly mistake by ignoring a common and simple feature in their respective DBMS layer. ~ Mike Stemle, jr. On Mar 11, 2012, at 0:56, "Michael E. Carluen" <mecarl...@gmail.com> wrote: > > I often amazed why simple cf tags like cfqueryparam and even cfoutpout don't > get pimped enough. Stuff CF developers don't worry as much as PHP, ASP, or > RoR developers would. > > > On Mar 10, 2012, at 9:43 PM, Justin Scott <leviat...@darktech.org> wrote: > >> >>> An IP from the Ukraine was attacking my contact form with name values like: >>> >>> "John 1) declare @q varchar(8000) select @q = >>> 0x57414954464F522044454C4159202730303A30303A313527 exec(@q) --" >> >> Indeed, this looks like an initial reconnaissance injection to see if >> other commands would work (that hex value decodes to WAITFOR DELAY >> '00:00:15'). This would cause a page load to be delayed a short >> period so they know the command executed on the database server before >> moving on to more interesting attacks. >> >> >> -Justin >> >> > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350354 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
