Re: Security and SQL
You can also convert your URL LINK to FORM LINKS then you can test in the receiving page to see that the #http_referer# is coming from the Page you want it to. this is a start. Nathan www.cftipsplus.com -- Original Message -- From: "Kevin Schmidt" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Date: Mon, 13 Nov 2000 12:41:31 -0600 >I pass a few values through URL variable that I use in where clauses in my >SQL. I want to prevent someone from passing malicious SQL through that >value. What are my options?? > >Kevin Schmidt >Internet Services Director >PWB Integrated Marketing and Communications >Office: 734.995.5000 >Mobile: 734.649.4843 > > > > >Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ >Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send a message >with 'unsubscribe' in the body to [EMAIL PROTECTED] > -- Nathan Stanford = Mr. ColdFusion [EMAIL PROTECTED] http://www.cftipsplus.com/ http://www.cfm-resources.com/ = Coldfusion Tips Plus e-ZINE To Subscribe send a blank email to: [EMAIL PROTECTED] or visit http://www.cftipsplus.com/ -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send a message with 'unsubscribe' in the body to [EMAIL PROTECTED]
Re: Security and SQL
One basic thing you can do is place an #Int()# function in the query on any values that the user has control of that are supposed to be numeric, or check them in advance with #IsNumeric()# or soemthing. This will keep them from passing a subquery as part of the request. So having it in a query like.. SELECT This FROM That WHERE ID = #Int(URL.ID)# ..always a good idea. ___ Justin Scott :: [DtDNS Administrator] http://www.dtdns.com - Original Message - From: "Kevin Schmidt" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Monday, November 13, 2000 10:41 AM Subject: Security and SQL > I pass a few values through URL variable that I use in where clauses in my > SQL. I want to prevent someone from passing malicious SQL through that > value. What are my options?? > > Kevin Schmidt > Internet Services Director > PWB Integrated Marketing and Communications > Office: 734.995.5000 > Mobile: 734.649.4843 > > > > -- -- > Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ > Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send a message with 'unsubscribe' in the body to [EMAIL PROTECTED] > Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send a message with 'unsubscribe' in the body to [EMAIL PROTECTED]
Re: Security and SQL
If your values are always numbers, always use the Val() funtion .. It returns the number if it is a number and returns a 0 if anything else. Otherwise, make sure you put single quotes aroung the variable. There are many other things you can do, but those 2 will take care of a lot of the basic nastiness. Todd Ashworth | > I pass a few values through URL variable that I use in where clauses in my | > SQL. I want to prevent someone from passing malicious SQL through that | > value. What are my options?? | > | > Kevin Schmidt | > Internet Services Director | > PWB Integrated Marketing and Communications | > Office: 734.995.5000 | > Mobile: 734.649.4843 Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send a message with 'unsubscribe' in the body to [EMAIL PROTECTED]
Re: Security and SQL
Few things: 1) Set up the CFQUERY Statement to use a username/pass that only does things you like in the database (basically give it your choice of SELECT, INSERT, UPDATE, DELETE rights), you are using a Enterprise level database aka SQL 7 or Oracle now aren't you? 2) At the CF Level, you can build your statements to check for malicous statements as such. If I recall correctly somebody built a custom tag to do all that searching for you, check it out at the allaire development exchange (http://ww.allaire.com). Gregory Harris Web Developer Stirling Bridge Group LLC - Original Message - From: "Kevin Schmidt" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Monday, November 13, 2000 10:41 AM Subject: Security and SQL > I pass a few values through URL variable that I use in where clauses in my > SQL. I want to prevent someone from passing malicious SQL through that > value. What are my options?? > > Kevin Schmidt > Internet Services Director > PWB Integrated Marketing and Communications > Office: 734.995.5000 > Mobile: 734.649.4843 > > > > -- -- > Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ > Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send a message with 'unsubscribe' in the body to [EMAIL PROTECTED] > > Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send a message with 'unsubscribe' in the body to [EMAIL PROTECTED]
Security and SQL
I pass a few values through URL variable that I use in where clauses in my SQL. I want to prevent someone from passing malicious SQL through that value. What are my options?? Kevin Schmidt Internet Services Director PWB Integrated Marketing and Communications Office: 734.995.5000 Mobile: 734.649.4843 Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send a message with 'unsubscribe' in the body to [EMAIL PROTECTED]
