you can't forget that form fields also play a part in this. after reading the informaiton provided in jeff's link, it did shine a light. although i have been taught from the beginning to always use val() around numberic values (thank Adam) and to use regex to validate text input (props Raymond). if your anal and take the time to make sure that the information that people are passing you is in the extact fomrat you want, you shouldn't have a problem. also, don't rely on javascript, i always do server-side validation even after client side, just to make certain. i even go as far as putting as much validation as i can into my stored procedures and triggers. although SQL server doesn't support regular expressions , which sucks! anyone know a way it could?
Anthony Petruzzi Webmaster 954-321-4703 [EMAIL PROTECTED] http://www.sheriff.org -----Original Message----- From: Dave Watts [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 12:36 PM To: CF-Talk Subject: RE: Preventing SQL injection attacks...? > Could you show me an example of an SQL injection attack? I > want to test my app to see what I need to do to protect > against this. All of these sorts of attacks rely on tampering with form or URL data to add SQL statements directly to that data, on the assumption that the data may be used in an SQL query, in which case the tampered data may execute within the SQL database. Typically, you'll see examples where you've got a URL like this: http://www.myserver.com/myfile.cfm?id=5;drop%20table%20mytable However, in real life, typically you won't attacks like that because there's nothing to gain from dropping a table or deleting records. Real attacks are usually more subtle and useful to the attacker. One of my favorites is the use of the SQL Server system stored procedure xp_cmdshell to open a command shell, which can be used to fetch a file from an attacker's FTP server and run it. That's much more interesting. Note also that most of the examples you'll see will show tampered URL data, but you can do the same thing with form data almost as easily. Here's a URL which describes SQL injection attacks: http://www.owasp.org/asac/input_validation/sql.shtml Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ______________________________________________________________________ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
