> I rarely use url variables, but when I do I always check to make sure it
> contains the type of data I am expecting it to contain.
There is no difference between URL, form, cookie or (certain) CGI
variables, really. They're all equally unsafe. Anything that comes
from the browser is unsafe.
D
> Anyone who uses a url variable in a sql statement - even with cfqueryparm
> - is simply asking for trouble.
There is nothing inherently unsafe in doing this. The worst that can
occur is an SQL error. The database will not execute the contents of
the variable.
Dave Watts, CTO, Fig Leaf Softwar
Even if your cfqueryparam is looking for a string (say you're using a
UUID), you're still safe because they're passed in as arguments to a
mnaufactured stored procedure. Ultimately, the db ends up doing something
like this:
declare @p1 nvarchar(4000);
select * from forums where threadid=@p1
EVE
At some point, you want to verify that you are passing an actual threadid
(to use your example) and not a sql statement that someone has appended to
the url as threadid. If you simply use the url variable you aren't doing
that. If your cfqueryparm is checking for an integer you would probably be
How exactly are we asking for trouble by using URL variables within
CFQUERYPARAMs?
For example, a message board might link to a message topic with
viewTopic.cfm?threadid=5
You can't do form posts for every call to your application, so I'm curious
as to how you propose doing this.
And then use
Anyone who uses a url variable in a sql statement - even with cfqueryparm
- is simply asking for trouble.
On Thu, Mar 7, 2013 at 1:18 PM, Russ Michaels wrote:
>
> Ok found an example for you.
>
> www.codersrevolution.com/index.cfm/2008/7/22/When-will-cfqueryparam-NOT-protect-me
>
> > > Sadly I cannot provide any links as proof, so I wont argue with you, but I
> > > am sure I have seen someone on this list provide some advanced sql
> > > injection examples that got through cfqueryparam
> >
> > The only way for this to be possible is to do something with the data
> > in your
Ok found an example for you.
www.codersrevolution.com/index.cfm/2008/7/22/When-will-cfqueryparam-NOT-protect-me
>> Sadly I cannot provide any links as proof, so I wont argue with you, but I
>> am sure I have seen someone on this list provide some advanced sql
>> injection examples that got throu
I used cfparam to do that before cfqueryparam existed.
Regards
Russ Michaels
www.michaels.me.uk
www.cfmldeveloper.com - Free CFML hosting for developers
www.cfsearch.com - CF search engine
On Mar 6, 2013 8:37 PM, "Rick Root" wrote:
>
> And, in this case, having helps you debug weird errors tha
And, in this case, having helps you debug weird errors that
you'd get when a field that is expected to be numeric is blank or not
numeric.
Ie
where myField=#someval#
will result in an unrecognizable syntax error if #someval# is an empty
string, and the line number will be the end of the query,
I'd have to agree with Dave.
The only time I've seen an issue (with cfqueryparam) was with something
like a sql string generated based on say a search form and then that being
passed to a stored procedure that executes the statement in the procedure.
Not to say it's impossible, for there are tho
> Sadly I cannot provide any links as proof, so I wont argue with you, but I
> am sure I have seen someone on this list provide some advanced sql
> injection examples that got through cfqueryparam
The only way for this to be possible is to do something with the data
in your SQL after receiving th
Sadly I cannot provide any links as proof, so I wont argue with you, but I
am sure I have seen someone on this list provide some advanced sql
injection examples that got through cfqueryparam
On Tue, Mar 5, 2013 at 9:50 PM, Dave Watts wrote:
>
> > Protecting against sql injection also requires
> Protecting against sql injection also requires more than simply validating
> datatypes, relying on cfqueryparam to do this will only protect you from
> the basic drive by injections that rely on numeric fields accepting
> strings, not advanced injections which can be done on any text field.
Thi
Btw cfqueryparam id not actually there to protect against sql injection,
rather it is for paramatising queries to create execution plans for better
performance.
You can validate data in various ways before using in your query to achieve
the same result, such as cfparam, which will sometimes be bet
Thanks for the tips and feedback, everyone!
Rick
-Original Message-
From: Byron Mann [mailto:byronos...@gmail.com]
Sent: Tuesday, March 05, 2013 2:05 PM
To: cf-talk
Subject: Re: Anyone see anything wrong with the syntax of the query?
Not concerned with the sql syntax as much as I am
Not concerned with the sql syntax as much as I am about not using
cfqueryparam.
Please please please take the time to convert every query you have to use
that.
Based on your cfarguments and db permissions for your dsn, a bad bad user
might be able to delete everything from your database.
Byron
Use cfqueryparam to rule out the value of the arguments variable causing
syntax related issues.
When an error tells you the line number and it is in a query, it rarely is
that actual line; it just knows it is in the query somewhere.
On 3/5/13 11:47 AM, "Rick Faircloth" wrote:
>
>datasource="
---Original Message-
From: John M Bliss [mailto:bliss.j...@gmail.com]
Sent: Tuesday, March 05, 2013 11:56 AM
To: cf-talk
Subject: Re: Anyone see anything wrong with the syntax of the query?
Perhaps it's the contents on that variable? Try putting it into a
cfqueryparam.
On Tue, Mar 5
m: listmas...@houseoffusion.com [mailto:listmas...@houseoffusion.com] On
Behalf Of Rick Faircloth
Sent: Tuesday, March 05, 2013 8:48 AM
To: cf-talk
Subject: Anyone see anything wrong with the syntax of the query?
select substring_index(p.mls_number, '_', 1) as p.mls_number,
Perhaps it's the contents on that variable? Try putting it into a
cfqueryparam.
On Tue, Mar 5, 2013 at 10:47 AM, Rick Faircloth wrote:
>
> datasource="#arguments.real_estate_dsn#">
>
>select substring_index(p.mls_number, '_', 1) as p.mls_number,
>p.street_number, p.str
select substring_index(p.mls_number, '_', 1) as p.mls_number,
p.street_number, p.street_name, p.city, p.state,
oh.mls_number, oh.date, oh.start_time, oh.end_time, oh.host_name
fromproperties p
left join fortstewart.open_houses oh
on
22 matches
Mail list logo