Title:
Bug 82935:(Watson Migration Closure)[documentation] CFGRID examples promote sql injection risksPlease consider updating the CFGRID examples (in all versions) to remove queries like the ones below that are wide open to sql injection
| View in TrackerStatus/Resolution/Reason: Closed/Won't Fix/LowImpact
Reporter/Name(from Bugbase): CF Searching / CF Searching (CF Searching)
Created: 05/18/2010
Components: Documentation, Examples
Versions: 9.0
Failure Type: Unspecified
Found In Build/Fixed In Build: 0000 /
Priority/Frequency: Normal / Unknown
Locale/System: English / Platforms All
Vote Count: 1
Problem:
[documentation] CFGRID examples promote sql injection risksPlease consider updating the CFGRID examples (in all versions) to remove queries like the ones below that are wide open to sql injection. Unfortunately, some people use the examples provided in live applications, unaware they are making their database to vulnerable to attacks.One of the examples in CF8 / CF9 documentationhttp://livedocs.adobe.com/coldfusion/8/htmldocs/help.html?content=ajaxui_5.html#1126812 http://help.adobe.com/en_US/ColdFusion/9.0/Developing/WSc3ff6d0ea77859461172e0811cbec22c24-7a01.html
Method:
--- example 1 update employees set <cfoutput>#colname#</cfoutput> = '<cfoutput>#value#</cfoutput>' where Emp_ID = <cfoutput>#gridrow.Emp_ID#</cfoutput> --- example 2 delete from employees where emp_id = <cfoutput>#gridrow.Emp_ID#</cfoutput>
Result:
----------------------------- Additional Watson Details -----------------------------
Watson Bug ID: 3041477
External Customer Info:
External Company:
External Customer Name: CF Searching
External Customer Email: 248D17EF472002E0992015B9
External Test Config: 05/18/2010Attachments:
Comments: