• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

Sending the URL Values to a string

Participant ,
Nov 28, 2006 Nov 28, 2006

Copy link to clipboard

Copied

How can I pass any URL values from the URL Structure to a list or string to check for SQL injections? I am not sure what syntac to use. I know that StructKeyList(URL) will give me all of the parameters but I need the value of those Keys?
TOPICS
Advanced techniques

Views

232

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct answer

LEGEND , Nov 28, 2006 Nov 28, 2006
Well cgi.query_string is a copy of the url parameters and there values.
But what are you "checking" for sql injection in the URL values. The
usual best practice is to use <cfqueryparam ...> to prevent the
injection from working. It is very difficult to try and detect all the
different ways a hacker can come at you.

Votes

Translate

Translate
LEGEND ,
Nov 28, 2006 Nov 28, 2006

Copy link to clipboard

Copied

Well cgi.query_string is a copy of the url parameters and there values.
But what are you "checking" for sql injection in the URL values. The
usual best practice is to use <cfqueryparam ...> to prevent the
injection from working. It is very difficult to try and detect all the
different ways a hacker can come at you.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Participant ,
Nov 28, 2006 Nov 28, 2006

Copy link to clipboard

Copied

LATEST
Thanks for the suggestion. I am using cfqueryparam in all of my queries; however, I want to add some additional insurance and this will help. Here is my code for what I am doing.

<cfset SQLURLChecker = CGI.QUERY_STRING>
<cfset SQLURLChecker = IsSQLInject(SQLURLChecker)>
<cfif SQLURLChecker IS "true">
<cfset WRITESQLURLChecker = CGI.QUERY_STRING>
<!--- This writes a record of the offending party --->
<cffile action="append"
file="C:\projects\oam\sqllog.txt"
output="Time: #DateFormat(Now(),'MMMM/DD/YYYY')# #TIMEFORMAT(Now(),'h:mm tt')# Referring Page: #CGI.SCRIPT_NAME# IP Address: #CGI.REMOTE_ADDR# Illegal Words: #WRITESQLURLChecker#">
<cflocation url="#CGI.SCRIPT_NAME#">
</cfif>

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation