cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
search
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0
Upvote

Breaking out of coldfusion code

Guest
Apr 09, 2008 Apr 09, 2008

Copy link to clipboard

Copied

Hi i have have issues in the past with asp sql injections, mainly on form entry, by entring a sql string and breaking out of the asp code. is this an issue with coldfusion, if so what is the best way to stop this and what would be the way to break out of coldfusion code?

i do use sql stored procedures is this totally safe from sql injections?

many thanks
TOPICS
Advanced techniques

Views

552

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
replies 6 Replies 6
latest latest Jump to latest reply
Newsgroup_User
LEGEND ,
Apr 09, 2008 Apr 09, 2008

Copy link to clipboard

Copied

craiglaw98 wrote:
> issue with coldfusion, if so what is the best way to stop this and what would
> be the way to break out of coldfusion code?

use cfqueryparam religiously.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Dan_Bracuk
LEGEND ,
Apr 09, 2008 Apr 09, 2008

Copy link to clipboard

Copied

Personnally I find js injections to be more of a threat than sql injections. I have tested both, and the only time I could get sql to execute was with MS SQL and a numeric datatype. The other dbs I tested were Oracle and Redbrick.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Newsgroup_User
LEGEND ,
Apr 09, 2008 Apr 09, 2008

Copy link to clipboard

Copied

Dan Bracuk wrote:
> Personnally I find js injections to be more of a threat than sql injections. I
> have tested both, and the only time I could get sql to execute was with MS SQL
> and a numeric datatype. The other dbs I tested were Oracle and Redbrick.
>

I just want to say, I have no trouble doing SQL injection on Oracle with
numeric data types as well.

String data types are much more difficult thanks to ColdFusion's habit
of automatically escaping single quotes, unless one has turned this off
with the preserveSingleQuotes() function.

But, I trust the rule of thumb that hackers have much more time then I
do to find obscure combinations of characters, escapes and|or commands.
Thus I just <queryParam...> so that the database knows to never ever
treat this piece of data as code.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guest
Apr 10, 2008 Apr 10, 2008

Copy link to clipboard

Copied

In Response To Newsgroup_User
ok many thanks.

so is it possible to break out of coldfusion code, how is js injection caused?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Newsgroup_User
LEGEND ,
Apr 10, 2008 Apr 10, 2008

Copy link to clipboard

Copied

LATEST
In Response To Newsgroup_User
craiglaw98 wrote:
> ok many thanks.
>
> so is it possible to break out of coldfusion code, how is js injection caused?

To expand on Dan's example. JS Injection is where one accepts content
from users that is subsequently displayed in a browser. If the content
is not monitored then it is entirely possible for anybody who provides
the content to include HTML and JS code that does anything that such
code can do in a browser.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Dan_Bracuk
LEGEND ,
Apr 10, 2008 Apr 10, 2008

Copy link to clipboard

Copied

<script>window.alert("Like This");</script>

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation
ColdFusion User Guide
Copyright © 2024 Adobe. All rights reserved.
Using the Community Experience League Terms of Use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices