EasyCFM.COM ColdFusion Forums / MS SQL Server Related Issues / SQL Injection Attack

   Reply to Discussion | New Discussion << previous || next >> 
Posted By Discussion Topic: SQL Injection Attack

book mark this topic Printer-friendly Version  send this discussion to a friend  new posts last

daniel
08-12-2008 @ 7:23 AM
Reply
Edit
Profile
Send P.M.
My Gravatar!
Powered by Gravatar
New Member
Posts: 1
Joined: Aug 2008

I learned it the hard way. The following CFQUERYPARAM statement is not enough to prevent SQL injection Attack.

<cfquery name="Recordset1" datasource="cafetownsend">
SELECT *
FROM COMMENTS
WHERE COMMENT_ID =<cfqueryparam value="#URL.COMMENT_ID#" cfsqltype="cf_sql_numeric">
</cfquery>


A Chinese website was able to inject data with Trojan virus. Be aware! Please use store procedures for all your queries.

specific
10-05-2008 @ 1:42 PM
Reply
Edit
Profile
Send P.M.
My Gravatar!
Powered by Gravatar
Senior Member
Posts: 897
Joined: Apr 2006

why not enter some SQL stopping Injection code in
application.cfm also. That will check for every invalid
URL and FORM value

get me wrong if i am here?

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The Door to Coldfusion Community
Will Remain Open Till World Ends

Want a Web Portal Contact Me

randhawaz81@gmail.com

<cf_visitwebsite>

http://portal.randhawaworld.com/

</cf_visitwebsite>

tgruen
03-07-2011 @ 11:13 PM
Reply
Edit
Profile
Send P.M.
My Gravatar!
Powered by Gravatar
Junior Member
Posts: 59
Joined: Aug 2006

I thought I would post some of my thoughts on this topic in the spirit of sharing.

Firstly, Daniel, I would use CF_SQL_INTEGER rather than NUMBER. My rule of thumb for number format anything is "am I doing calculations with it?". If the answer is no, and the numbers are whole, use INTEGER.

To guard against SQL injection I use the full CFQUERY PARAM (<cfqueryparam cfsqltype="CF_SQL_VARCHAR" value="#session.user#" null = "#YesNoFormat(NOT Len(Trim(session.user)))#">)

Also, monitor your URL strings in the application.cfm file with something like...

<cfif #FindNoCase("|",cgi.query_string)# eq 1><cfabort showerror="Sorry, You appear to be attempting to hack our site."></cfif>

and on pages that I can isolate as action pages I police traffic by domain. If they are not arriving at that page FROM my domain, they get bounced. For example..
<cfif (findnocase("www.mydomain.com",cgi.http_referer) is 0)><cfscript>
          StructClear(session);
     </cfscript>
   <cflocation url="http://www.fbi.gov"></cfif>

I just wanted to share some ticks I use. I am sure this is not all there is that can be done. This is just what I have arrived at from experience.

Tony

This message was edited by tgruen on 3-7-11 @ 11:14 PM


Website Designed and Developed by Pablo Varando.