> Not sure if it's possible to do damage with malicious code in the
> sql insert statement,
>
> eg.
> insert into table1 (Var1)
> values ('#form.var1#')
>
> I can't see how a mailicous value for form.var1 would cause damage? Maybe
> I'm wrong.
>
> Why don't you actually try to insert code which will execute when
> displayed?
>
> Once you have figured out how that works, try and stop it working.
This will kill SQL Server
form.var1=" '); delete from syscolumns /*"
Also, remember to double the apostrophies before you do the insert or
update - that should get around the issue I've just given
form.var1=Replace(form.var1,"'","''","all")
Philip Arnold
Director
Certified ColdFusion Developer
ASP Multimedia Limited
T: +44 (0)20 8680 1133
"Websites for the real world"
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
**********************************************************************
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
