Category Filtering: 'SQL'

Remove Filter

When will cfqueryparam NOT protect me?

Posted by Brad Wood
Jul 22, 2008 20:31:00 UTC
JR asked a good question on my queryparam Scanner post. He noticed that I had stopped short of saying cfqueryparam would ALWAYS stop ALL SQL injection. He said, "Can you give an example of a SQL Injection attack which is not caught by cfqueryparam ?" I'm glad you asked JR.

QueryParam Scanner- You've got no excuse now

Posted by Brad Wood
Jul 22, 2008 10:07:00 UTC
This April, Peter Boughton put a little tool on RiaForge called QueryParam Scanner. It does what it says and that means you have no excuse not to batten down the hatches on that old code you've got swept under the rug. It also meant I didn't have any excuses either, so I gave it a run tonight.

Just when you felt safe... SQL Injection and MySQL

Posted by Brad Wood
Jul 14, 2008 02:07:00 UTC
Zac Spitzer recently blogged about an article explaining how to hack ColdFusion. Overall the "exposé" was mostly meaningless drivel not having anything much to do specifically with ColdFusion itself. It was accompanied by an array of Code Samples that look like they were written by a third grader. One point the article made though caught my eye. It claimed MySQL would let you inject SQL into a cfquery not using cfqueryparam even if the variable was enclosed in single ticks. "Could it be?", I scoffed. Oh yes, yes it is true.

Ask and you will (hopefully) receive

Posted by Brad Wood
Jul 08, 2008 05:17:00 UTC
Do you know the address of the Adobe page for requesting bug fixes and product enhancements? Yes, that magical gateway of mystery and wonder that rhymes with a popular children's game.

Site Updates

Entries Search