> > > Sadly I cannot provide any links as proof, so I wont argue with you, but I > > > am sure I have seen someone on this list provide some advanced sql > > > injection examples that got through cfqueryparam > > > > The only way for this to be possible is to do something with the data > > in your SQL after receiving the parameters that would explicitly treat > > the data as code. For example, you could have a parameterized stored > > procedure that takes something declared as data and tries to execute > > it (EXEC, EXECUTE, sp_executesql for example take strings and > > explicitly try to execute them as code). > > > > But that is not a limitation of CFQUERYPARAM or an example of SQL > > injection from ColdFusion - even in that case, CF is explicitly > > telling the database, "this part is code, this other part is data". By > > telling the database that parameters are data, you are preventing them > > from being inadvertently treated as code. > > Ok found an example for you. > www.codersrevolution.com/index.cfm/2008/7/22/When-will-cfqueryparam-NOT-protect-me
If you read the code in that example, you'll notice it's explicitly using EXEC, EXECUTE and sp_executesql, as I mentioned above. Those explicitly treat data (strings) as executable code. Those operations aren't normally done in SQL, and they are known security risks. They take something that is safe and make it unsafe. It should come as no surprise that taking something unsafe and making it safe, then taking that safe thing and again making it unsafe, is ... unsafe. And of course, that is not what the vast majority of CF SQL commands need to do. I can count on my fingers the number of times I've used those commands in a CF application, after working with CF for about seventeen years. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354890 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
