Howdy, Thanks for looking into this. And I'm fully aware of the cfqueryparam recommendation -- and the fact that it has been the official recommendation probably for more than a decade now ;-) However, having done consultancy CFML work in the past and having had access to dozens of CF consultants' & developers' codes.. well.. recommendations and real life very rarely meet :-)
Wasn't scaremongering really, but I do realize the fact that there's tons of code people use, that isn't necessarily theirs, that rely upon the fact that single quote escaping is automated in CFML engines. Thus, I thought that raising the issue among OBD developers with bit more "urgent" flag in my message might underline the issue. After all, people use weird, weird combinations of SQL servers, drivers & app servers and I just personally feel that whenever this kind of __potential__ hazards are handled asap, it strengthens the platform's credibility. As a sidenote, good to hear that when using MySQL the worst-possible scenario has been addressed already. Again, apologies if I sounded bit too harsh. Just personally felt it as an important issue to address, even though the practice that causes the "red flag" here conflicts with good CFML coding manners ;-) Best, -Petteri > Thank you for reporting this, we are looking into it. > > However, let me de-alarm the alarmist portion of this post with respect > to SQL Injection attacks. > > It has been a long held view that you should _ALWAYS_ use CFQUERYPARAM > (aka prepared statements) for anything that accepts text from the open > public. If you still have a code out in the field like this, then this > is bad and should be fixed asap. When i code review my team, it is one > of the top things that always gets picked off the list. > > This is not a new thing and has always been the advice in many forums > for a number of years now. Always assume that your data from users are > always dirty and potentially dangerous. Do as much as you can to clean > and sanitize it. > > If anything it is just good practice. It does way more escaping and > preparation than the rudimentary escaping of ' -> \'. > > Secondly, if you are using MySQL then the underlying driver and > database, no longer suffer from this. So statements such as: > > SELECT * FROM Table where a="'; drop database' > > won't actually work. Java drivers do not suffer from this as much as > the PHP ones did where most of the scaremongering stories come from. > > Wide sweeping (and factually incorrect) statements such as the one you > posted here, does not paint the full story and only goes to incite panic > where non need exist. > > Thank you for raising the issue with us and we are looking into it. > > dRD wrote: > > Basically, now, any code that uses built-in OBD functions inside > > CFQUERY, are exposed to SQL injection attacks. > > > > -- official tag/function reference: http://openbd.org/manual/ mailing list - http://groups.google.com/group/openbd?hl=en
