This content has been marked as final. Show 3 replies
> Can a hacker retrieve rows through SQL injection
Yes, yes they can.
You are correct that there would need to be code to output the data.
The hackers just use the code you already have built to output data.
But then use SQL injection tricks to output more data then the developer
intended for anybody to see.
Here is a blog that describe a real life example of just that.
I'm sure you know the default CF error page that you see if your SQL statement is incorrect, where it shows to you the incorrect SQL statement and the error message that the SQL server returned.
Hackers can use pages like that to not just display SQL error messages but also a table dump of your DB tables.
So first of all place a "Site-wide Error Handler " page, and make sure none of your scripts return a "raw" error description.
There are other additional steps that need to be taken to secure a site, but this is a start.
The default error page doesn't output errors directly fortunately. Just need to run through and make sure everything is parametrized I suppose