ColdFusion help

I am running a test in SpIDER WEB and it returns the following error message , How can I fixe the error to avoid volnuarability

Attack Type  - double Quote (double ASCII)
Original value - page
Attack Value - page%25%22
Error : Select folio ,pgname,name
from tbl
where upper(pgname) = '1B'</font><td></tr></
LVL 19
erikTsomikSystem Architect, CF programmer Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

_agx_Commented:
What's the actual cfquery code? Are you using cfqueryparam in the query?  If not, you should be

Select folio ,pgname,name
from tbl
where upper(pgname) = <cfqueryparam value="#url.someparam#" cfsqltype="cf_sql_varchar">

Open in new window

0
erikTsomikSystem Architect, CF programmer Author Commented:
this is the code . And yes I am using cfqueryparam

Select folio ,pgname,name
from tbl
where upper(pgname) = <cfqueryparam value="#url.someparam#" cfsqltype="cf_sql_varchar">
0
_agx_Commented:
I'd ask why that is flagged as a risk.  I get that "%22" is a double quote, so if the query didn't use bind variables, someone could potentially use it build a malicious sql string that gets executed as sql, in order to return more data than what you intended, like:

<!--- potentially returns all records STARTING with the input string --->
WHERE  someColumn LIKE "page%"

.... instead of

<!--- only returns records with exact value --->
WHERE  someColumn = "page"

But ... as long as you're using bind variables (which you are) the input is always treated as a literal. It can't be executed as sql.  Also, it uses equals so it could only match records having the EXACT and literal value:  

           page%"  

Very unlikely.   So I'd ask what they're testing for and why they think that input fails.
0
_agx_Commented:
Error : Select folio ,pgname,name
from tbl
where upper(pgname) = '1B'</font><td></tr></

Only other possibility I can think of is leaking error messages? Generally web apps shouldn't return much detail about any errors that occur, since that info can be used to learn more about the web app and how to better attack it. But ... the query you posted wouldn't throw an error, so not an issue here.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ColdFusion Language

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.