This content has been marked as final. Show 6 replies
> issue with coldfusion, if so what is the best way to stop this and what would
> be the way to break out of coldfusion code?
use cfqueryparam religiously.
Personnally I find js injections to be more of a threat than sql injections. I have tested both, and the only time I could get sql to execute was with MS SQL and a numeric datatype. The other dbs I tested were Oracle and Redbrick.
Dan Bracuk wrote:
> Personnally I find js injections to be more of a threat than sql injections. I
> have tested both, and the only time I could get sql to execute was with MS SQL
> and a numeric datatype. The other dbs I tested were Oracle and Redbrick.
I just want to say, I have no trouble doing SQL injection on Oracle with
numeric data types as well.
String data types are much more difficult thanks to ColdFusion's habit
of automatically escaping single quotes, unless one has turned this off
with the preserveSingleQuotes() function.
But, I trust the rule of thumb that hackers have much more time then I
do to find obscure combinations of characters, escapes and|or commands.
Thus I just <queryParam...> so that the database knows to never ever
treat this piece of data as code.
ok many thanks.
so is it possible to break out of coldfusion code, how is js injection caused?
> ok many thanks.
> so is it possible to break out of coldfusion code, how is js injection caused?
To expand on Dan's example. JS Injection is where one accepts content
from users that is subsequently displayed in a browser. If the content
is not monitored then it is entirely possible for anybody who provides
the content to include HTML and JS code that does anything that such
code can do in a browser.