You do have to remember though that CFQUERYPARAM automatically escapes quoted values so if you had a normal query like
UPDATE Table SET Column = '#URL.Val#' You could pass along ?val=zz'; DROP TABLE TableName; SELECT * FROM Master WHERE Column = 'dd So the query would look like UPDATE Table SET Column = 'zz'; DROP TABLE TableName; SELECT * FROM Master WHERE Column = 'dd' Looks bad but Coldfusion escapes these single quotes so it would actually process UPDATE Table SET Column = 'zz''; DROP TABLE TableName; SELECT * FROM Master WHERE Column = ''dd' ....and the database would get updated with the url value and not process the injection. SQL injection becomes more of an issue when you are dealing with numeric values in the queries like passing IDs along the URL. This is where CRQUERYPARAM comes in to play because you are validating that the value is an actual number and not a string and it will catch any attempts of SQL injection. One thing to note also is CFQUERYPARAM handles complex values like XMLText values where as normal SQL would error unless you copied the value into a local var so you could use it in your query. Though with the whole CFC side of things you should be checking this stuff before it even gets to the CFQUERY tag anyway. Annywhooo Steve -----Original Message----- From: [email protected] [mailto:[EMAIL PROTECTED] On Behalf Of Andrew Scott Sent: Monday, 30 June 2008 3:53 PM To: [email protected] Subject: [cfaussie] Re: SQL Injection? The one thing to remember, is that SQL injection via the query param cf_sql_varchar removes any unwanted attacks. Mainly sql itself. I still wish on my wishlist for Coldfusion to do all that behind the scenes for you, oh well maybe one day. -- Senior Coldfusion Developer Aegeon Pty. Ltd. www.aegeon.com.au Phone: +613 8676 4223 Mobile: 0404 998 273 -----Original Message----- From: [email protected] [mailto:[EMAIL PROTECTED] On Behalf Of nedlud Sent: Monday, 30 June 2008 3:16 PM To: cfaussie Subject: [cfaussie] Re: SQL Injection? I was just doing some more reading about this problem. Stored procedures are still susceptible to SQL injection *if* they dynamicly modify the query based on the user input. But from what I can see, coldfusion uses parameterised queries which should be safe. At least I can't find any particular mention of exploits for them online (yet ;) ) My concern was that any time you are accepting string input from a user, the data still needs to be sanitised before use, and cf_sql_varchar is still just a string. A string by any other name would be just as vulnerable. SO yes, my only concern is that it can accept text, but that text does not appear to get executed by the db, which is a good thing :) As Zac points out, the data is still potentialy dangerous as a possible XSS attack later on (client side, not server side). But as for my concern about SQL attacks, I'm more comfortable now about using cfqueryparams. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "cfaussie" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cfaussie?hl=en -~----------~----~----~----~------~----~------~--~---
