not debugging, more 'Enable Robust Exception Information' is checked.
>>> [EMAIL PROTECTED] 31/03/2006 3:01:00 pm >>> Yes, You are correct, but there will be other queries on the page, I'm sure. What you need for SQL injection, a table name: users.dbo.person So the error gives all that and more, so if there is another keyword search page or similar, without vals or <cfqueryparams away you go. Moral of the story, is debugging shouldn't be on in production and we would have never known the table name. Or at least the errors should be caught. Regards Dale Fraser >>Error Occurred While Processing Request Error Executing Database >>Query. >>[Macromedia][SQLServer JDBC Driver][SQLServer]Database 'users' cannot >>be opened because it is offline. >> >>The error occurred in D:\web\tvguide.com.au\index.cfm: line 32 >> >>30 : select person_id, password >>31 : from users.dbo.person >>32 : where person_id = #Val(cookie.person_id)# >>33 : </cfquery> >>34 : >> >>SQL select person_id, password from users.dbo.person where >>person_id = 2617356 Regards Dale Fraser > -----Original Message----- > From: cfaussie@googlegroups.com [mailto:[EMAIL PROTECTED] On > Behalf Of Brett Payne-Rhodes > Sent: Friday, 31 March 2006 14:34 PM > To: cfaussie@googlegroups.com > Subject: [cfaussie] sql injection was: tvguide.com.au > > > Just curious, not knowing much about sql injection... > > Wouldn't the 'val()' function be sufficient protection in this case? > Presuming that the sql that was trying to be 'injected' was stored in > cookie.person_id then the val() function will effectively nullify it by > returning zero... No? > > ps. apologies for highjacking the thread... > > Cheers, > > Brett > B) > > > > Dale Fraser wrote: > > Dam, > > > > That really looks open to SQL Injection, someone should let them know. > > > > Regards > > Dale Fraser > > > > > >>-----Original Message----- > >>From: cfaussie@googlegroups.com [mailto:[EMAIL PROTECTED] On > >>Behalf Of Chad Renando > >>Sent: Friday, 31 March 2006 14:06 PM > >>To: cfaussie@googlegroups.com > >>Subject: [cfaussie] tvguide.com.au > >> > >> > >>Crash, bang, boom of a CF site. > >> > >>I wonder what kind of traffic they get? Might be some job opps > >>opening up or maybe just some hosting opportunities maybe? ;) > >> > >>Chad > >> > >>------------------------------------------------------------------------ > -- > >>--------------------------------------- > >> > >> The web site you are accessing has experienced an unexpected error. > >>Please contact the website administrator. > >> > >>The following information is meant for the website developer for > >>debugging purposes. > >>Error Occurred While Processing Request > >>Error Executing Database Query. > >>[Macromedia][SQLServer JDBC Driver][SQLServer]Database 'users' cannot > >>be opened because it is offline. > >> > >>The error occurred in D:\web\tvguide.com.au\index.cfm: line 32 > >> > >>30 : select person_id, password > >>31 : from users.dbo.person > >>32 : where person_id = #Val(cookie.person_id)# > >>33 : </cfquery> > >>34 : > >> > >>SQL select person_id, password from users.dbo.person where > >>person_id = 2617356 > >>DATASOURCE hww_sql > >>VENDORERRORCODE 942 > >>SQLSTATE HY000 > >>Resources: > >> > >> * Check the ColdFusion documentation to verify that you are using > >>the correct syntax. > >> * Search the Knowledge Base to find a solution to your problem. > >> > >>Browser Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; > rv:1.7.9) > >>Gecko/20050711 Firefox/1.0.5 (ax) > >>Remote Address 58.104.59.236 > >>Referrer > >>Date/Time 31-Mar-06 02:01 PM > >>Stack Trace > >>at cfindex2ecfm1650242660.runPage(D:\web\tvguide.com.au\index.cfm:32) > >>at cfindex2ecfm1650242660.runPage(D:\web\tvguide.com.au\index.cfm:32) > >> > >>java.sql.SQLException: [Macromedia][SQLServer JDBC > >>Driver][SQLServer]Database 'users' cannot be opened because it is > >>offline. > >> at macromedia.jdbc.base.BaseExceptions.createException(Unknown > >>Source) > >> at macromedia.jdbc.base.BaseExceptions.getException(Unknown Source) > >> at > >>macromedia.jdbc.sqlserver.tds.TDSRequest.processErrorToken(Unknown > Source) > >> at > >>macromedia.jdbc.sqlserver.tds.TDSRequest.processReplyToken(Unknown > Source) > >> at macromedia.jdbc.sqlserver.tds.TDSRequest.processReply(Unknown > >>Source) > >> at > >>macromedia.jdbc.sqlserver.SQLServerImplStatement.getNextResultType(Unkno > wn > >>Source) > >> at > >>macromedia.jdbc.base.BaseStatement.commonTransitionToState(Unknown > Source) > >> at macromedia.jdbc.base.BaseStatement.postImplExecute(Unknown > >>Source) > >> at macromedia.jdbc.base.BaseStatement.commonExecute(Unknown Source) > >> at macromedia.jdbc.base.BaseStatement.executeInternal(Unknown > >>Source) > >> at macromedia.jdbc.base.BaseStatement.execute(Unknown Source) > >> at > >>coldfusion.server.j2ee.sql.JRunStatement.execute(JRunStatement.java:212) > >> at coldfusion.sql.Executive.executeQuery(Executive.java:719) > >> at coldfusion.sql.Executive.executeQuery(Executive.java:652) > >> at coldfusion.sql.Executive.executeQuery(Executive.java:613) > >> at coldfusion.sql.SqlImpl.execute(SqlImpl.java:236) > >> at coldfusion.tagext.sql.QueryTag.doEndTag(QueryTag.java:499) > >> at > >>cfindex2ecfm1650242660.runPage(D:\web\tvguide.com.au\index.cfm:32) > >> at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:152) > >> at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:349) > >> at coldfusion.filter.CfincludeFilter.invoke(CfincludeFilter.java:65) > >> at > >>coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:210) > >> at coldfusion.filter.PathFilter.invoke(PathFilter.java:86) > >> at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:69) > >> at > >>coldfusion.filter.BrowserDebugFilter.invoke(BrowserDebugFilter.java:52) > >> at > >>coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersist > en > >>ceFilter.java:28) > >> at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38) > >> at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38) > >> at > >>coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22) > >> at > >>coldfusion.filter.RequestThrottleFilter.invoke(RequestThrottleFilter.jav > a: > >>115) > >> at coldfusion.CfmServlet.service(CfmServlet.java:107) > >> at > >>coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:78) > >> at jrun.servlet.FilterChain.doFilter(FilterChain.java:86) > >> at com.seefusion.Filter.doFilter(Filter.java) > >> at com.seefusion.SeeFusion.doFilter(SeeFusion.java) > >> at jrun.servlet.FilterChain.doFilter(FilterChain.java:94) > >> at jrun.servlet.FilterChain.service(FilterChain.java:101) > >> at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:91) > >> at > >>jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42) > >> at > >>jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:257 > ) > >> at > >>jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:541 > ) > >> at > >>jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java: > 20 > >>4) > >> at > >>jrunx.scheduler.ThreadPool$DownstreamMetrics.invokeRunnable(ThreadPool.j > av > >>a:318) > >> at > >>jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java > :4 > >>26) > >> at > >>jrunx.scheduler.ThreadPool$UpstreamMetrics.invokeRunnable(ThreadPool.jav > a: > >>264) > >> at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66) > >> > >> > > > > > > > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "cfaussie" group. To post to this group, send email to cfaussie@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cfaussie -~----------~----~----~----~------~----~------~--~---
