Ask a Question related to Macromedia ColdFusion, Design and Development.

  1. Mr Black #21

    Default Re: SQL injection

    >If passed variables of varchar type are not protected by cfqueryparam a hacker
    can use for example
    >UNION statement adding it as a part of variable that could be interpreted as
    valid part of a query
    >and select data from any uprotected by granted permissions tables
    Any executable example to support this statement?


    Mr Black Guest
    Reply With Quote Reply With Quote

    2. Similar Questions and Discussions

    1. Aspx's Html Injection
      Hi, I'm try to find an easy efficient way to generate my web pages dynamically from an xml/text file. What exactly I want? I want that...
    2. What is CF injection?
      Hello people We are doing a security revision of our application, with the help of some consultants. They alerted us to the risc of ColdFusion...
    3. SQL Injection Vulnerabilities
      In the May 29th, 2005 listserv message from cflib.org, they mention this function, sqlSafe(): http://www.cflib.org/udf.cfm?id=1219 The function...
    4. Has ColdFusion MX taken care of SQL injection ?
      Has ColdFusion MX taken care of SQL injection ? The reason is that when I tried to test my own application without using <cfqueryparam ...> it...
    5. how to protect web server against SQL Injection ?
      i didnt find any information where to start . please write something
  2. CF_Oracle #22

    Default Re: SQL injection

    Select fieldName1 from table1
    where fieldName 2 = '#form.variableName#'.

    Put in passed #form.variableName# (it could be also url variable) value like
    'bla-bla' UNION Select fieldName3 from table2.

    Works with Oracle if no cfqueryparam around #form.variableName#.


    CF_Oracle Guest
    Reply With Quote Reply With Quote
  3. Mr Black #23

    Default Re: SQL injection

    Nop. This doesn't work. The entire entry is treated as a char value, not like two independent SQL statements. Any better example?

    Mr Black Guest
    Reply With Quote Reply With Quote
  4. mxstu #24

    Default Re: SQL injection

    Originally posted by: CF_Oracle
    Works with Oracle if no cfqueryparam around #form.variableName#.


    I tried it with MX 6.1 and a few different databases (not oracle) and drivers
    and the single quotes were always escaped. What version of MX, oracle and
    drivers are you using?

    If however, the statement uses #PreserveSingleQuotes()# or was an numeric
    value (ie. no single quotes around the #variable#), then sql injection was
    possible.




    mxstu Guest
    Reply With Quote Reply With Quote
  5. CF_Oracle #25

    Default Re: SQL injection

    Oracle9i, CF&. Yes, I used PreserveSingleQuotes since text fild values included apostrofe sometimes. Thanks mxtu.
    CF_Oracle Guest
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may post replies
  • You may not post attachments
  • You may not edit your posts

Forum Rules


1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139