even then, I have not seen a way to create sql injection attacks with CF
Russ,
One particularly nasty example I have seen in action is an attack against
mssql db's using EXEC sp_cmdshell.
You can then run any dos command via mssql
I agree with Matt, - its better to err on the side of caution
Russ wrote:
In my experience, it only slowed things down. Now, YMMV, but I've noticed
that the more cfqueryparams you have in your query, the slower it will run.
What did you test? How did you test it? How many simultaneous users?
Although theoretically the sql engine should have an easier
Andy Matthews wrote:
A query has an incoming value which is the result of a previous query:
WHERE id = #Val(getsite.id)#
Should something like this be using a cfqueryparam or is it okay to leave as
is?
What happens if getsite does not return any rows? If you have that covered and
I'm looking through old code from my new company and I'm asking questions of
myself. It's a good challenge, but one that I'm not sure about is this.
A query has an incoming value which is the result of a previous query:
WHERE id = #Val(getsite.id)#
Should something like this be using a
ALWAYS use CFQUERYPARAM...it's not just for stopping SQL injection
attacksit
also increases query speed by using BIND variables (at least with Oracle and MS
SQL Server.not Accessnot sure about mySQL).
HTH
Cheers
Bryan Stevenson B.Comm.
VP Director of E-Commerce Development
A query has an incoming value which is the result of a previous query:
WHERE id = #Val(getsite.id)#
Should something like this be using a cfqueryparam or is it okay to leave as
is?
As Bryan said, it probably should use cfqueryparam. One time you may see this
code though would be if it's a
PROTECTED]
www.dealerskins.com
-Original Message-
From: Bryan Stevenson [mailto:[EMAIL PROTECTED]
Sent: Monday, January 08, 2007 12:02 PM
To: CF-Talk
Subject: Re: Cfqueryparam on ALL values or just user definable ones?
ALWAYS use CFQUERYPARAM...it's not just for stopping SQL injection
attacks
Could you explain a little please? It would seem to me that using an extra
function or tag would increase processing time.
The limiting factor here is not the CF code, it's the database processing time.
Using binding variables will generally speed that up.
--- Mary Jo
Here's a good blog entry from Ben a while back:
http://www.forta.com/blog/index.cfm/2005/12/21/SQL-Injection-Attacks-Easy-To-Prevent-But-Apparently-Still-Ignored
Will
~|
Create robust enterprise, web RIAs.
Upgrade integrate
:[EMAIL PROTECTED]
Sent: Monday, January 08, 2007 1:26 PM
To: CF-Talk
Subject: Re: Cfqueryparam on ALL values or just user definable ones?
Could you explain a little please? It would seem to me that using an
extra
function or tag would increase processing time.
The limiting factor here
Does anyone know if this works on SQL server? I was never able to replicate
this.
Russ
-Original Message-
From: Will Tomlinson [mailto:[EMAIL PROTECTED]
Sent: Monday, January 08, 2007 1:34 PM
To: CF-Talk
Subject: Re: Cfqueryparam on ALL values or just user definable ones
Although theoretically the sql engine should have an easier time caching an
execution plan for your query,
And there's the important part. I don't think you can base it on what you will
see as just one individual hitting the page during development, because yes,
then you will generally see a
I am all for reducing attack surfaces. Even if cfqueryparam's sole
purpose in life is to enhance security, its worth it. Never mind the
speed given under load. Use it as a cheap way to bulletproof your
code and minimize your own personal liability in case it turns out the
hacker is smarter than
13 matches
Mail list logo