Advertisement

08.07.2008 at 12:52PM PDT, ID: 23630782 | Points: 500
[x]
Attachment Details

SQL Injection

Asked by lorigottschalk in ColdFusion Application Server, Cold Fusion Markup Language

Tags: , ,

I have a classic example of attempts at SQL Injection on my site.  So far, they haven't been able to get through.  I thought I had locked down the code, but I'm still gettting hundreds of the following error notifications:

Error Message: Error Executing Database Query.
ERROR.QueryString: PageNum_getProduct=2&Key=gauge&Manufacturer=&Color=&TextureType=&BooksOnly=&CatID=&SubCatID=&Sort=;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C41524520405420766172 [Edited by Lunchy]
Error on Page: /Results.cfm
Previous Page:
------------------------------------
Error Executing Database Query. Syntax error or access violation: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near ';DECLARE @S CHAR(4000);SET @S=CAST(0x4445434C415245204054207661
The error occurred on line 123.


So, I am checking the submitted parameters as follows:

<cfif IsDefined('CatID') AND CatID NEQ "" AND NOT IsNumeric(CatID)>
     <cflocation url="index.cfm">
<cfelseif IsDefined('SubCatID') AND SubCatID NEQ "" AND NOT IsNumeric(SubCatID)>
     <cflocation url="index.cfm">
<cfelseif IsDefined('Sort') AND Sort NEQ "" AND Len(Sort) GT 20>
     <cflocation url="index.cfm">
</cfif>

When I test this on my dev box, it catches the error and routes back to the index.cfm page, as expected.  So how come they are still getting past this code and far enough to be submitted to the database?Start Free Trial
[+][-]08.07.2008 at 01:15PM PDT, ID: 22184908

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]08.07.2008 at 01:20PM PDT, ID: 22184956

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]08.07.2008 at 01:31PM PDT, ID: 22185073

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]08.07.2008 at 01:35PM PDT, ID: 22185117

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]08.07.2008 at 01:44PM PDT, ID: 22185215

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]08.07.2008 at 02:05PM PDT, ID: 22185422

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]08.07.2008 at 02:50PM PDT, ID: 22185795

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]08.07.2008 at 03:13PM PDT, ID: 22185979

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]08.07.2008 at 03:31PM PDT, ID: 22186120

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]08.08.2008 at 02:04PM PDT, ID: 22193627

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]08.08.2008 at 06:45PM PDT, ID: 22194773

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]08.08.2008 at 07:48PM PDT, ID: 22194881

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]08.09.2008 at 09:45AM PDT, ID: 22196811

Experts Exchange has a courteous staff of administrators who help members get the most out of the website by means of administrative comments like this one.

Start your 7-day free trial to view this Administrative Comment or ask the Experts your question.

 
[+][-]08.09.2008 at 03:46PM PDT, ID: 22197889

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]08.10.2008 at 09:03AM PDT, ID: 22199979

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]08.10.2008 at 10:21AM PDT, ID: 22200164

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]08.12.2008 at 08:01AM PDT, ID: 22213802

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]08.12.2008 at 01:17PM PDT, ID: 22216708

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]08.12.2008 at 06:47PM PDT, ID: 22218514

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]08.15.2008 at 01:06PM PDT, ID: 22241361

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]08.15.2008 at 06:21PM PDT, ID: 22242770

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
 
Loading Advertisement...
20080716-EE-VQP-32 / EE_QW_2_20070628