Yep. But I knew that we could count on you to point it out... You could mitigate the possibility to a degree with a filter like my cf_xssblock tag, plus configuring the db to only allow select and exec.
I actually used to include something very similar to that in my servertools app so you could run adhoc SQL from a form against any CF dsn, but then I thought about how bad that could be in the wrong hands and binned it. ________________________________ From: Dean H. Saxe <d...@fullfrontalnerdity.com> To: discussion@acfug.org Sent: Wed, January 27, 2010 6:29:03 PM Subject: Re: [ACFUG Discuss] a very strange sql error that only happens when using CF D'oh! Anyone else see the classic SQLinjection vuln here... -- Dean H. Saxe "A true conservationist is a person who knows that the world is not given by his fathers, but borrowed from his children." -- John James Audubon On Wed, Jan 27, 2010 at 11:47 AM, Dusty Hale <du...@climbonline.com> wrote: > Teddy here's how I build the qText string part where the quotes are: > > if(len(txtDonorId)){ > qText = qText & "AND donorid like '%" & txtDonorId & "%' "; > } > > > > On Wed, Jan 27, 2010 at 2:28 PM, Teddy R. Payne <teddyrpa...@gmail.com> > wrote: >> >> Dusty, >> What type of single quotes are those? What is the source of the text? Was >> the query copied and pasted from a Microsoft document? >> >> >> Teddy R. Payne, ACCFD >> Google Talk - teddyrpa...@gmail.com >> >> >> >> On Wed, Jan 27, 2010 at 2:24 PM, Dusty Hale <du...@climbonline.com> wrote: >>> >>> Hi: >>> >>> I've run into a very strange issue. I have a cfc which has a <cfquery> >>> tag in it. I recently added one field the SQL in the query and am getting an >>> error I've never seen before. I can't seem to dig out any info to solve >>> this. If anyone is familiar, please share. >>> >>> Of course when I output the SQL and run in a SQL Studio Query window, the >>> query runs fine with no errors. >>> >>> Here the error I see in CF: >>> >>> >>> >>> ----------------------------------------------------------------------------------------------------------------------------- >>> [Macromedia][SQLServer JDBC Driver][SQLServer]Divide by zero error >>> encountered. >>> >>> The error occurred in >>> D:\websites\xytexcom_stage2\htdocs\cfc\donorsearch.cfc: line 149 >>> Called from D:\websites\xytexcom_stage2\htdocs\cfc\donorsearch.cfc: line >>> 139 >>> Called from D:\websites\xytexcom_stage2\htdocs\search.cfm: line 48 >>> Called from D:\websites\xytexcom_stage2\htdocs\cfc\donorsearch.cfc: line >>> 149 >>> Called from D:\websites\xytexcom_stage2\htdocs\cfc\donorsearch.cfc: line >>> 139 >>> Called from D:\websites\xytexcom_stage2\htdocs\search.cfm: line 48 >>> >>> 147 : </cfscript> >>> 148 : <cfquery name="q" datasource="#application.dsn_name#" >>> username="#application.db_user#" password="#application.db_pword#"> >>> 149 : #qText# >>> >>> 150 : </cfquery> >>> ----------------------------------------- >>> >>> Here's the SQL code in the qText variable. Please note that it runs fun >>> in Query Analyzer. Also note that no division is being used. >>> >>> ---------------------------------------------------------------- >>> Select donorid, occupation, race, haircolor, hairtexture, eyecolor, >>> religion, bloodtype, height, weight, heightmetric, weightmetric, >>> reportedpregnancy, opendonorid, infomp3avail, ethnicity, cmvstatus, >>> DateEntered, ARTavail, ARTonly, SelectDonors FROM v_websearch where >>> available = 1 AND donorid like '%9986%' ORDER BY donorid >>> >>> ---------------------------------------------------------------------------------- >>> >>> Any advise or thought on this of course is greatly appreciated. >>> >>> Dusty >> > > > > -- > Dusty Hale > Email: du...@dustyhale.com > Phone (Atlanta): 404.474.3754 > Phone (Toll Free USA): 877.841.3370 > Website: www.DustyHale.com > ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com ------------------------------------------------------------- ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -------------------------------------------------------------