问题
I developed a web site for a client where they will post images of their merchandise online. The url is www.domiainname.com/item-details.cfm?sku=125. Someone tried browsing to www.domiainname.com/item-details.cfm?sku=125%20and%203=3 which produced and error in which I'm notified.
I've also received error reports of:
item-details.cfm?sku=1291+or+1=@@version--
item-details.cfm?sku=1291'+or+1=@@version
item-details.cfm?sku=1291+or+1=@@version
The last three examples are definitely of someone trying to get into the system, right?
If we converted this to be stored procedures, would that reduce or eliminate the risk of insertion attacks?
回答1:
Yes, it appears that someone is being malicious.
Using cfqueryparam will prevent SQL-injection attacks. When in doubt (and it's CF), ask Ben:
SQL Injection Attacks, Easy To Prevent, But Apparently Still Ignored
Example:
<cfquery ...>
SELECT *
FROM Products
WHERE SKU=<cfqueryparam value="#URL.SKU#" cfsqltype="CF_SQL_INTEGER">
</cfquery>
回答2:
Use cfqueryparam and forget about any sql-injection ;)
回答3:
Yep, someone attempted SQL injection. If you check the sku variable correctly in your code, this will not do any harm.
来源:https://stackoverflow.com/questions/9668075/is-this-an-example-of-an-sql-injection-attack