This is off-topic but your example is a perfect demonstration on how to create a sql injection and a cross site scripting vulnerability.
To prevent sql injections you should always use the VAL of a numeric values and escape string values of all URL or FORM variables. If you are not familiar with sql injection, here is an example using your sample code:
templatename.cfm?op=del&sysID=0%20or%201%3D1
which will be processed in your query as:
-
<cfquery name="delSystem" datasource="Security_Access" dbtype="ODBC">
-
delete from tblSystem
-
where sysID=0 or 1=1
-
</cfquery>
-
which in turn will produce devistating result to you database. This is a simple example. If a hacker finds a sql injection door open, he or she can do much more damage than this. Correcting the problem is simple:
-
<cfquery name="delSystem" datasource="Security_Access" dbtype="ODBC">
-
delete from tblSystem
-
where sysID=#Val(URL.sysID)
-
</cfquery>
-
Cross site scripting or XSS is when a hacker can cause a client browser to display and execute unwanted and possibly dangerous scripting code. The part in your sample of concern is here:
templatename.cfm?op=del&sysID%3Cscript%20language% 3D%22JavaScript%22%20type%3D%22text%2Fjavascript%2 2%3Ealert%28%22You%27re%20screwed%21%22%29%3B%3C%2 Fscript%3E
which will process in your display block as:
-
<cfoutput query="delSystem">
-
Record <script language="JavaScript" type="text/javascript">alert("You're screwed!");</script> deleted!
-
</cfoutput>
-
XSS is harder to prevent than sql injection. The site
www.owasp.org details both these vulnerabilities more and have links to even more info. I highly recommend that you research this further.
219
