no. the issue is how you use the info.
A piece of text (eg Search text) like
'; drop table myTable; select name as thatData from sysObjects where '' = '
shouldn't be a problem, if executed like so:
<cfquery>
select thatData from myTable where thatValue= '#form.thatvalue#';
</cfquery>
but if you do it like this:
<cfset sql = "select * from myTable where thatValue = '" & form.thatValue &
';">
<cfquery>
#preservesinglequotes(sql)#
</cfquery>
well, I'd be betting that table is dropped and you've got the entire Name
field elements in Sysobjects table returned. no, I'm not going to test that
code.
:-)
A major worry is when people don't check their integers.
I've seen it alot of times in code, people assume that the variable, if it
exists, is a integer and let code like this run:
<cfparam name="url.id" default="1">
<cfquery>
select * from myTable where ID = #url.id#
</cfquery>
nasty...
so, test each form element used in the query for validity.
eg.
<cfscript>
if (not (isdefined('url.id') and isNumeric(url.id))) url.id = 1; // or
whatever default value
// other checks
</cfscript>
and if you do use queries like so:
<cfquery>
#preservesinglequotes(sql)#
</cfquery>
please, during your checking replace all single quotes in your strings with
2 single quotes, and if your using an Access database you've gotta check for
something else.. what is it? an exclamation mark? oh I can't remember.
----- Original Message -----
From: "sebastian palmigiani" <[EMAIL PROTECTED]>
To: "CF-Talk" <[EMAIL PROTECTED]>
Sent: Wednesday, May 23, 2001 1:41 PM
Subject: Re: Compromising Security
Is this the most efficient way to check for SQL in form input?
Sebastian
------------------
<cfset FORM.FirstName = 'Sebastian'>
<cfset FORM.LastName = 'Palmigiani'>
<cfset FORM.Address = ';drop table members;'>
<cfset FormList = ''>
<cfset FormList = ListAppend(FormList, FORM.FirstName)>
<cfset FormList = ListAppend(FormList, FORM.LastName)>
<cfset FormList = ListAppend(FormList, FORM.Address)>
<cfset SQLList = 'Select,Insert,Delete,Update,Drop,Create,Table'>
<cfloop list="#SQLList#" index="SQL">
<cfif ListContainsNoCase(FormList, SQL)>
<!--- Send back if there are SQL keywords --->
<cflocation url="index.cfm?Message=Error
</cfif>
</cfloop>
on 5/22/01 5:27 PM, Bryan Love at [EMAIL PROTECTED] wrote:
> someone could conceivable type "; drop table [tablename];" into a form
field
> if they knew the name of the table and mess up the DB
>
>
> Bryan Love ACP
> Internet Application Developer
> [EMAIL PROTECTED]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
