troubleshooting Question

ColdFusion SQL Injection

Avatar of swinfosec
swinfosec asked on
SoftwareWeb ServersProject Management
3 Comments1 Solution1478 ViewsLast Modified:
In Cold Fusion, using <cfquery> is it possible to break out of a sql "IN" clause to perform a sql injection attack, with something other than a select statement as the parameter?

Wiki and google lead me to dead ends, and only mentioned the "like" statement.


I.E. Can I insert, update, delete, etc?
Psuedo code EX.<cfquery>  Select * from example.table where example.arg in (#someid#) </cfquery>
Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 1 Answer and 3 Comments.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 3 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros