Comments on: Preventing SQL Injection http://www.fusioncube.net/index.php/preventing-sql-injection The online journey of a technophile, by Steve Brownlee Mon, 30 Jan 2012 21:28:36 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Daniel Sellers http://www.fusioncube.net/index.php/preventing-sql-injection/comment-page-1#comment-31550 Daniel Sellers Thu, 28 Aug 2008 15:28:41 +0000 http://www.fusioncube.net/?p=245#comment-31550 hmm... didn't all fit above... one more try: <cfif URL[i] CONTAINS '4445434C415245' OR URL[i] CONTAINS ' hmm… didn’t all fit above… one more try:
<cfif URL[i] CONTAINS ’4445434C415245′
OR URL[i] CONTAINS ‘

]]> By: Daniel Sellers http://www.fusioncube.net/index.php/preventing-sql-injection/comment-page-1#comment-31549 Daniel Sellers Thu, 28 Aug 2008 15:27:39 +0000 http://www.fusioncube.net/?p=245#comment-31549 Just knocked out a more expansive version of the IF statement to track a larger group of SQL commands in HEX and plain text: <cfif URL[i] CONTAINS '4445434C415245' OR URL[i] CONTAINS ' Just knocked out a more expansive version of the IF statement to track a larger group of SQL commands in HEX and plain text:

<cfif URL[i] CONTAINS ’4445434C415245′ OR URL[i] CONTAINS ‘

]]> By: Steve Brownlee http://www.fusioncube.net/index.php/preventing-sql-injection/comment-page-1#comment-31548 Steve Brownlee Thu, 28 Aug 2008 14:57:53 +0000 http://www.fusioncube.net/?p=245#comment-31548 Yes, Eric, very good point. It's simply one tool your should have in the arsenal! Yes, Eric, very good point. It’s simply one tool your should have in the arsenal!

]]> By: Eric Cobb http://www.fusioncube.net/index.php/preventing-sql-injection/comment-page-1#comment-31547 Eric Cobb Thu, 28 Aug 2008 14:54:12 +0000 http://www.fusioncube.net/?p=245#comment-31547 Just to clarify, this helps protect against a SPECIFIC sql injection attack that's been going around, not every sql injection attack in general. That's what cfqueryparam is for. ;) Thanks for the code post! It will definitely come in handy as an added layer of protection against this. Just to clarify, this helps protect against a SPECIFIC sql injection attack that’s been going around, not every sql injection attack in general. That’s what cfqueryparam is for. ;)

Thanks for the code post! It will definitely come in handy as an added layer of protection against this.

]]> By: Jason Bartholme http://www.fusioncube.net/index.php/preventing-sql-injection/comment-page-1#comment-31546 Jason Bartholme Thu, 28 Aug 2008 14:37:12 +0000 http://www.fusioncube.net/?p=245#comment-31546 Hi Steve, I'm glad the code is helping to prevent further attacks. It's good to see others using it as well. You may also look into placing constraints on your varchar and text fields to not allow the string '<script' to be inserted/updated. We believe that offers another layer of projection. Hi Steve,

I’m glad the code is helping to prevent further attacks. It’s good to see others using it as well. You may also look into placing constraints on your varchar and text fields to not allow the string ‘<script’ to be inserted/updated. We believe that offers another layer of projection.

]]>