I might be way off here, but wouldn't you just need to screen for
semi-colons? In order to hack a query the user would have to enter a
semi-colon to end the current statement and begin one of their own...
+---+
Bryan Love
Macromedia Certified Profess
If that is true, you would have to look for more than just the semi-colon.
The semi-colon could be used in a legitimate string. I was going to say you
could look for ;drop or ;insert etc, but I think there would still be other
ways to do damage via SQL. The user could do the semi-colon and then
Message-
From: Brook Davies [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 03, 2002 3:17 PM
To: CF-Talk
Subject: RE: SQL Injection Attacks (scrubbers cont.)
If that is true, you would have to look for more than just the semi-colon.
The semi-colon could be used in a legitimate string. I
Not everyone has cfqueryparam available we are on CF4 for a few more months
so we're SOL.
But you could therotically still do something like
select *
from blah
where userdata; select * from blah
which would be interprated as a 2nd query. CFQUERY param might fix that it
might come down to the ol
> Not everyone has cfqueryparam available we are on CF4 for a
> few more months so we're SOL.
>
> But you could therotically still do something like
>
> select *
> from blah
> where userdata; select * from blah
>
> which would be interprated as a 2nd query. CFQUERY param
> might fix that it m
TED]>
To: "CF-Talk" <[EMAIL PROTECTED]>
Sent: Tuesday, September 03, 2002 5:00 PM
Subject: RE: SQL Injection Attacks (scrubbers cont.)
> > Not everyone has cfqueryparam available we are on CF4 for a
> > few more months so we're SOL.
> >
> > But
> :) thats why i said for places that can not do CFQUERYparam
Sorry, I misunderstood you. D'oh!
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
voice: (202) 797-5496
fax: (202) 797-5444
__
This list and all House of
7 matches
Mail list logo
