tracker issue : CF-3039303

select a category, or use search below
(searches all categories and all time range)
Title:

Bug 78833:(Watson Migration Closure)[ANEFF] ER for: Injection-proofing cfinsert/cfupdateone suggestion: parametrize="true" attribute, which could internally use cfdbinfo to parametrize the queriesanother suggestion: just make it automat

| View in Tracker

Status/Resolution/Reason: Closed/Withdrawn/

Reporter/Name(from Bugbase): Aaron Neff / Aaron Neff (Aaron Neff)

Created: 07/15/2009

Components: Security, General

Versions: 9.0

Failure Type: Unspecified

Found In Build/Fixed In Build: 0000 /

Priority/Frequency: Normal / Unknown

Locale/System: English / Platforms All

Vote Count: 2

Problem:

[ANEFF] ER for: Injection-proofing cfinsert/cfupdateone suggestion: parametrize="true" attribute, which could internally use cfdbinfo to parametrize the queriesanother suggestion: just make it automatically safe, w/o requiring additional parameteranother suggestion: add a timespan attribute, like on query caching, then it can also be resetRelated thread: https://prerelease.adobe.com/r/?146908c2f6ba4153bb9a727e6e43c1c1Regardless of implementation, I feel this needs to be done. Even if performance decreases, at least the queries are safe. If developer wants better performance, then cfinsert/cfupdate can be replaced by cfqueryparam.Something needs done ASAP to make cfinsert/cfupdate safer from SQL Injection attacks.(I put "crashes server", b/c if someone uses examples in cfinsert/cfupdate docs - then serious problems can occur)
Method:


Result:

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	3039303

External Customer Info:
External Company:  
External Customer Name: Aaron Neff
External Customer Email: 3D1D17B03C844EBF992001AC
External Test Config: 07/15/2009

Attachments:

Comments:

+1 vote. I'm for parameterisation to be done automatically (rather than via an additional attribute). Otherwise people might not use it. And existing code won't be protected unless it's updated. -- Adam
Vote by External U.
23412 | November 10, 2011 06:55:23 PM GMT
+1 for me too. I use cfupdate and cfinsert in places. To find out that my SQL server is vulnerable to SQL injection when I have taken so much time to prevent that in all of my hand written code, just to find out that a CF tag is vulnerable to SQL injection. Same on you Adobe for releasing CF9 with out some FIX for this.
Vote by External U.
23413 | November 10, 2011 06:55:25 PM GMT
NB: this seems to be fixed in CF9 & CF10 as far as I can tell This is the SQL sent to the DB for an INSERT: insert into tbl_test (tst_data) values (?) And an UPDATE: update tbl_test set tst_data=? where tst_id=? That looks OK to me..? -- Adam
Comment by External U.
23409 | July 29, 2012 06:17:52 AM GMT
And on CF 8.0l1 for that matter. I suspect there is no issue here. -- Adam
Comment by External U.
23410 | July 29, 2012 07:22:55 AM GMT
Confirmed (using MSSQL profiler) this is a non-issue in CF11. Queries are parameterized for cfinsert and cfupdate. And apparently this was never an issue - not sure why I'd thought it was. Thanks, Adam, for confirming :) Thanks!, -Aaron
Comment by External U.
23411 | July 22, 2015 02:02:40 PM GMT