Re: [ACFUG Discuss] a very strange sql error that only happens when using CF

Wed, 27 Jan 2010 15:35:12 -0800 

Yep. But I knew that we could count on you to point it out... 

You could mitigate the possibility to a degree with a filter like my 
cf_xssblock tag, plus configuring the db to only allow select and exec. 

I actually used to include something very similar to that in my servertools app 
so you could run adhoc SQL from a form against any CF dsn, but then I thought 
about how bad that could be in the wrong hands and binned it. 




________________________________
From: Dean H. Saxe <d...@fullfrontalnerdity.com>
To: discussion@acfug.org
Sent: Wed, January 27, 2010 6:29:03 PM
Subject: Re: [ACFUG Discuss] a very strange sql error that only happens when  
using CF

D'oh!  Anyone else see the classic SQLinjection vuln here...
--
Dean H. Saxe
"A true conservationist is a person who knows that the world is not
given by his fathers, but borrowed from his children."  -- John James
Audubon



On Wed, Jan 27, 2010 at 11:47 AM, Dusty Hale <du...@climbonline.com> wrote:
> Teddy here's how I build the qText string part where the quotes are:
>
> if(len(txtDonorId)){
>         qText = qText & "AND donorid like '%" & txtDonorId & "%' ";
>         }
>
>
>
> On Wed, Jan 27, 2010 at 2:28 PM, Teddy R. Payne <teddyrpa...@gmail.com>
> wrote:
>>
>> Dusty,
>> What type of single quotes are those?  What is the source of the text? Was
>> the query copied and pasted from a Microsoft document?
>>
>>
>> Teddy R. Payne, ACCFD
>> Google Talk - teddyrpa...@gmail.com
>>
>>
>>
>> On Wed, Jan 27, 2010 at 2:24 PM, Dusty Hale <du...@climbonline.com> wrote:
>>>
>>> Hi:
>>>
>>> I've run into a very strange issue. I have a cfc which has a <cfquery>
>>> tag in it. I recently added one field the SQL in the query and am getting an
>>> error I've never seen before. I can't seem to dig out any info to solve
>>> this. If anyone is familiar, please share.
>>>
>>> Of course when I output the SQL and run in a SQL Studio Query window, the
>>> query runs fine with no errors.
>>>
>>> Here the error I see in CF:
>>>
>>>
>>>
>>> -----------------------------------------------------------------------------------------------------------------------------
>>> [Macromedia][SQLServer JDBC Driver][SQLServer]Divide by zero error
>>> encountered.
>>>
>>> The error occurred in
>>> D:\websites\xytexcom_stage2\htdocs\cfc\donorsearch.cfc: line 149
>>> Called from D:\websites\xytexcom_stage2\htdocs\cfc\donorsearch.cfc: line
>>> 139
>>> Called from D:\websites\xytexcom_stage2\htdocs\search.cfm: line 48
>>> Called from D:\websites\xytexcom_stage2\htdocs\cfc\donorsearch.cfc: line
>>> 149
>>> Called from D:\websites\xytexcom_stage2\htdocs\cfc\donorsearch.cfc: line
>>> 139
>>> Called from D:\websites\xytexcom_stage2\htdocs\search.cfm: line 48
>>>
>>> 147 :         </cfscript>
>>> 148 :         <cfquery name="q" datasource="#application.dsn_name#"
>>> username="#application.db_user#" password="#application.db_pword#">
>>> 149 :         #qText#
>>>
>>> 150 :         </cfquery>
>>> -----------------------------------------
>>>
>>> Here's the SQL code in the qText variable. Please note that it runs fun
>>> in Query Analyzer. Also note that no division is being used.
>>>
>>> ----------------------------------------------------------------
>>> Select donorid, occupation, race, haircolor, hairtexture, eyecolor,
>>> religion, bloodtype, height, weight, heightmetric, weightmetric,
>>> reportedpregnancy, opendonorid, infomp3avail, ethnicity, cmvstatus,
>>> DateEntered, ARTavail, ARTonly, SelectDonors FROM v_websearch where
>>> available = 1 AND donorid like '%9986%' ORDER BY donorid
>>>
>>> ----------------------------------------------------------------------------------
>>>
>>> Any advise or thought on this of course is greatly appreciated.
>>>
>>> Dusty
>>
>
>
>
> --
> Dusty Hale
> Email: du...@dustyhale.com
> Phone (Atlanta): 404.474.3754
> Phone (Toll Free USA): 877.841.3370
> Website: www.DustyHale.com
>


-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------


-------------------------------------------------------------
To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------

Reply via email to