SQL Injection

> Hi.  I'm using cfqueryparam with any dynamic cfquery tag.  However, in
> one case, I'm storing the "WHERE" conditions in a user account so that
> the user can call up the last search he did.  So I  construct the
> string (e.g. parameter1='A' AND parameter2='B'...) and when I store
> that finished string, I use cfqueryparam.  However, what if code for
> an SQL injection is entered there.  Although it will not be executed
> when it is stored, it could be executed when it is called up later:
>
> <cfquery...
> SELECT * FROM Table1
> WHERE #storedString#
> </cfquery>
>
> The only thing I can think of is dynamically building the string in
> the WHERE clause and inserting the appropriate cfqueryparam tag for
> each parameter.  Seems pretty cumbersome.  Are there any other
> solutions?
>
> Thanks,
>
> Rich
>
>

> Parse the storedstring and put everything after your comparsion as the
> value of cfqueryparm.
>
> On Sun, Aug 3, 2008 at 7:59 PM, Rich <rich2@...> wrote:
>> Hi.  I'm using cfqueryparam with any dynamic cfquery tag.  However,  
>> in
>> one case, I'm storing the "WHERE" conditions in a user account so  
>> that
>> the user can call up the last search he did.  So I  construct the
>> string (e.g. parameter1='A' AND parameter2='B'...) and when I store
>> that finished string, I use cfqueryparam.  However, what if code for
>> an SQL injection is entered there.  Although it will not be executed
>> when it is stored, it could be executed when it is called up later:
>>
>> <cfquery...
>> SELECT * FROM Table1
>> WHERE #storedString#
>> </cfquery>
>>
>> The only thing I can think of is dynamically building the string in
>> the WHERE clause and inserting the appropriate cfqueryparam tag for
>> each parameter.  Seems pretty cumbersome.  Are there any other
>> solutions?
>>
>> Thanks,
>>
>> Rich
>>
>>
>
>

> I don't follow.
>
>
> On Aug 4, 2008, at 12:50 AM, Maureen wrote:
>
> > Parse the storedstring and put everything after your comparsion as the
> > value of cfqueryparm.
> >
> > On Sun, Aug 3, 2008 at 7:59 PM, Rich <rich2@...> wrote:
> >> Hi.  I'm using cfqueryparam with any dynamic cfquery tag.  However,
> >> in
> >> one case, I'm storing the "WHERE" conditions in a user account so
> >> that
> >> the user can call up the last search he did.  So I  construct the
> >> string (e.g. parameter1='A' AND parameter2='B'...) and when I store
> >> that finished string, I use cfqueryparam.  However, what if code for
> >> an SQL injection is entered there.  Although it will not be executed
> >> when it is stored, it could be executed when it is called up later:
> >>
> >> <cfquery...
> >> SELECT * FROM Table1
> >> WHERE #storedString#
> >> </cfquery>
> >>
> >> The only thing I can think of is dynamically building the string in
> >> the WHERE clause and inserting the appropriate cfqueryparam tag for
> >> each parameter.  Seems pretty cumbersome.  Are there any other
> >> solutions?
> >>
> >> Thanks,
> >>
> >> Rich
>

> when building the string
>
> parameter1='A' AND parameter2='B'
>
> build it the way you want to run it.
>
> parameter1=<cfqueryparam value='A'> AND parameter2=<etc>
>
> since you are building the string, Maureen was suggesting you run  
> through
> your stored WHERE value, and place 'A' (a known string after an =  
> sign) into
> a cfqueryparam. loop through the WHERE clause, finding all the name/
> value
> pairs.
>
> I am going a step further, and suggesting maybe you should include the
> cfqueryparams in the WHERE string before you store it to the db
>
>
>
>
> On Mon, Aug 4, 2008 at 1:57 AM, Rich <rich2@...> wrote:
>
>> I don't follow.
>>
>>
>> On Aug 4, 2008, at 12:50 AM, Maureen wrote:
>>
>>> Parse the storedstring and put everything after your comparsion as  
>>> the
>>> value of cfqueryparm.
>>>
>>> On Sun, Aug 3, 2008 at 7:59 PM, Rich <rich2@...> wrote:
>>>> Hi.  I'm using cfqueryparam with any dynamic cfquery tag.  However,
>>>> in
>>>> one case, I'm storing the "WHERE" conditions in a user account so
>>>> that
>>>> the user can call up the last search he did.  So I  construct the
>>>> string (e.g. parameter1='A' AND parameter2='B'...) and when I store
>>>> that finished string, I use cfqueryparam.  However, what if code  
>>>> for
>>>> an SQL injection is entered there.  Although it will not be  
>>>> executed
>>>> when it is stored, it could be executed when it is called up later:
>>>>
>>>> <cfquery...
>>>> SELECT * FROM Table1
>>>> WHERE #storedString#
>>>> </cfquery>
>>>>
>>>> The only thing I can think of is dynamically building the string in
>>>> the WHERE clause and inserting the appropriate cfqueryparam tag for
>>>> each parameter.  Seems pretty cumbersome.  Are there any other
>>>> solutions?
>>>>
>>>> Thanks,
>>>>
>>>> Rich
>>
>
>
>

> You could write the query (including cfquery and cfqueryparam tags) to
> a file and cfinclude it to execute it.
>
> On Mon, Aug 4, 2008 at 2:11 PM, Rich <rich2@...> wrote:
>> Then what Maureen was suggesting was what I was actually trying to
>> avoid.  I guess there's no easy solution.  As far as what you're
>> suggesting, the cfqueryparam tag will be processed when the string is
>> constructed.  How can you enter it into the string as straight text  
>> to
>> be processed later?
>>
>> Thanks,
>>
>> Rich
>
> --
> mxAjax / CFAjax docs and other useful articles:
> http://www.bifrost.com.au/blog/
>
>

> That might be the way to go.  So there's no way to write CF tags as
> text into a database record?
>
> Rich
>
>
> On Aug 4, 2008, at 2:22 AM, James Holmes wrote:
>
>> You could write the query (including cfquery and cfqueryparam tags) to
>> a file and cfinclude it to execute it.

> You can write them to the DB - you just can't get them to execute
> without writing them to a file and using cfinclude.
>
> On Mon, Aug 4, 2008 at 2:28 PM, Rich <rich2@...> wrote:
>> That might be the way to go.  So there's no way to write CF tags as
>> text into a database record?
>>
>> Rich
>>
>>
>> On Aug 4, 2008, at 2:22 AM, James Holmes wrote:
>>
>>> You could write the query (including cfquery and cfqueryparam  
>>> tags) to
>>> a file and cfinclude it to execute it.
>
> --
> mxAjax / CFAjax docs and other useful articles:
> http://www.bifrost.com.au/blog/
>
>

>>> So there's no way to write CF tags as
> text into a database record?
>
> Actually, yes you can, but you can't execute it when read from a  
> database.
>
> --
> _______________________________________
> REUSE CODE! Use custom tags;
> See http://www.contentbox.com/claude/customtags/tagstore.cfm
> (Please send any spam to this address: piegeacon@...)
> Thanks.
>
>
>

>> parsed, as expected.  How can I do this so that the cfinclude tag is
>> parsed only when the output file is actually run?
>>
>
> Not sure that this belongs on the SQL mailing list. :P
>
> Anyway, you just have to do something similar to this:
>
> <cfset cf = "cf" />
> <cfsavecontent variable="Content">
> <#cf#include template="./included_file.cfm"/>
> ....
> </cfsavecontent>
>
>
>

> Hi.  I'm trying to write a cfm file using <cffile action="write"...>
> and include a cfinclude tag in the file.  I have all of my dynamic
> content in a cfsavecontent tag and I'm using that as the output of the
> cffile tag.  However, I want the file to which I'm writing to contain
> a cfinclude tag.  For example:
>
>
> <cfsavecontent variable='content'>
>
> <cfinclude template='includedFile.cfm'>
>
> static + dynamic content
>
> </cfsavecontent>
>
> <cffile action='write' file=#filePath# output=#content#>
>
>
> However, this processes the includedFile when the cfsavecontent is
> parsed, as expected.  How can I do this so that the cfinclude tag is
> parsed only when the output file is actually run?
>
> Thanks,
>
> Rich
>
>
>
>
>
>
>

> <cfsavecontent variable='content'>
>
> #Chr(60)#cfinclude template='includedFile.cfm'#Chr(62)#
>
> static + dynamic content
>
> </cfsavecontent>
>
> On Thu, Aug 14, 2008 at 2:15 AM, Rich <rich2@...> wrote:
>
>> Hi.  I'm trying to write a cfm file using <cffile action="write"...>
>> and include a cfinclude tag in the file.  I have all of my dynamic
>> content in a cfsavecontent tag and I'm using that as the output of  
>> the
>> cffile tag.  However, I want the file to which I'm writing to contain
>> a cfinclude tag.  For example:
>>
>>
>> <cfsavecontent variable='content'>
>>
>> <cfinclude template='includedFile.cfm'>
>>
>> static + dynamic content
>>
>> </cfsavecontent>
>>
>> <cffile action='write' file=#filePath# output=#content#>
>>
>>
>> However, this processes the includedFile when the cfsavecontent is
>> parsed, as expected.  How can I do this so that the cfinclude tag is
>> parsed only when the output file is actually run?
>>
>> Thanks,
>>
>> Rich
>>
>>
>>
>>
>>
>>
>>
>
>