swinfosec
asked on
ColdFusion SQL Injection
In Cold Fusion, using <cfquery> is it possible to break out of a sql "IN" clause to perform a sql injection attack, with something other than a select statement as the parameter?
Wiki and google lead me to dead ends, and only mentioned the "like" statement.
I.E. Can I insert, update, delete, etc?
Wiki and google lead me to dead ends, and only mentioned the "like" statement.
I.E. Can I insert, update, delete, etc?
Psuedo code EX.<cfquery> Select * from example.table where example.arg in (#someid#) </cfquery>
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
This is what I had indicated to our vendor also, again thanks for reaffirming my initial thoughts.