Nick,
They're trying to get at the credentials of your server, you can run the
query yourself in a query window like so:
select @@servername,
system_user,
db_name()
you'll notice is spits back the server name, system username and the
database name.
Rob
-----Original Message-----
From: Nick Way - South East Publishing [mailto:[email protected]]
Sent: 17 January 2009 13:37
To: sql
Subject: sql injection
hi guys
cfqueryparam caused a query to error last night (and send me an error
report)
it seems someone stuffed this in to the query string
(select@@servername+char(47)+system_user+char(47)+db_name()))--sp_password'
so our code caught this but i'm intruigeud to know what it would have done /
looks like it was intending to do if anyone can enlighten me i'd be very
grateful
TIA
Nick
----- Original Message -----
From: "sql" <[email protected]>
To: "sql" <[email protected]>
Sent: Friday, January 16, 2009 1:00 PM
Subject: SQL: Digest every 8 hours
> SQL 16-Jan-09 Issue:245
> In this issue:
> Oracles "Partition" keyword
> Oracles "Partition" keyword
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;207172674;29440083;f
Archive: http://www.houseoffusion.com/groups/sql/message.cfm/messageid:3177
Subscription: http://www.houseoffusion.com/groups/sql/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.6
