19 results found for EXACT PHRASE: ';drop table
hex encoded ';DROP TABLE Products' ---> <cfoutput>#isValid("url",
username ';DROP TABLE users;-- Parameterized queries, on the other hand, ARE safe. They might look like PreparedStatement statement =
';drop table test;'. Can you provide an example of how the second piece of code could be injected? I think you are a bit confused about how SQL Injection
http://www.amk.ca/python/writing/DB-API.html Be careful when you simply append values of variables to your statements: Imagine a user naming himself ';DROP TABLE Users;' -- That's why you need
an attacker would insert this: ';DROP TABLE FOO; -- The statement would look like: SELECT * FROM Customers WHERE Customername = ''';DROP TABLE FOO;--'
prevent input like this from causing damage: ';DROP TABLE bar;-- Try putting that in your fuz variable (or don't, if you value your bar table). More subtle
';DROP TABLE tblClient;-- Instead, use a parameterized query. That will fix your date issues and protect against sql injection attacks. Here's an example:
AND addLine1 = ''' + @ApexLine1 + '''' is EVIL . Don't do it. Variables like @ApexLine1 could contain anything , even something like this: ';DROP TABLE
TextBox1.Text & "')" NEVER substitute user input directly into a query like that! It's a major security hole. What if I enter ';DROP TABLE Student;-- into your
cfqueryparam for your values, and I hope you're sanitizing your input somehow so that arguments.strSelectAttributes can't contain something like ';drop table