cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Exit
search
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
  • 한국 커뮤니티
0
Upvote

Can SQL injection output rows to hacker?

chazman113
Explorer ,
Oct 22, 2008 Oct 22, 2008
Can a hacker retrieve rows through SQL injection or simply just jumble up the data? I wouldn't see how they could get the rows without coldfusion code that will actually be instructed to output the query. If not, are there any hot cf/mssql hacking techniques to steal database rows?
TOPICS
Advanced techniques
842
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
replies 3 Replies 3
latest latest Jump to latest reply
Newsgroup_User
LEGEND ,
Oct 22, 2008 Oct 22, 2008
chazman113 wrote:
> Can a hacker retrieve rows through SQL injection

Yes, yes they can.

You are correct that there would need to be code to output the data.
The hackers just use the code you already have built to output data.
But then use SQL injection tricks to output more data then the developer
intended for anybody to see.

Here is a blog that describe a real life example of just that.
http://thedailywtf.com/Articles/Oklahoma-Leaks-Tens-of-Thousands-of-Social-Security-Numbers,-Other-S...
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
fober1
Participant ,
Oct 22, 2008 Oct 22, 2008
HI,
I'm sure you know the default CF error page that you see if your SQL statement is incorrect, where it shows to you the incorrect SQL statement and the error message that the SQL server returned.
Hackers can use pages like that to not just display SQL error messages but also a table dump of your DB tables.

So first of all place a "Site-wide Error Handler " page, and make sure none of your scripts return a "raw" error description.

There are other additional steps that need to be taken to secure a site, but this is a start.

cheers,
fober
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
chazman113
Explorer ,
Oct 22, 2008 Oct 22, 2008
LATEST
The default error page doesn't output errors directly fortunately. Just need to run through and make sure everything is parametrized I suppose
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation
ColdFusion User Guide
Open in a new window
Copyright © 2025 Adobe. All rights reserved.
Using the Community Experience League Terms of Use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices