Comments on: ColdFusion SQL Injection Attack Terror

Question: ColdFusion SQL Injection Attack Terror

East Manitoba Regional Junior Kabaddi Champion '94 — Mon, 22 Oct 2007 12:24:20 -0800

ColdFusion MX 7 and Microsoft SQL Server 2005. There's a lot of unvalidated parameters in our CFQUERYs. But, I'm told that putting the parameters in single-quotes will prevent injection attacks, because of the way ColdFusion escapes single-quotes. Is this foolproof, or do I have to go in and validate everything with CFQUERYPARAM tags?

By: jenkinsEar

jenkinsEar — Mon, 22 Oct 2007 13:22:48 -0800

I usually do the o'reilly test- I put o'reilly into every form field, and see if it barfs.

FWIW, this is pretty easy to test- write an input form that puts it's content into a database, put in some bad sql ('-- select * from users where 1=1' , and see if you can retrieve it from the database- if the original SQL is in the field, you're probably ok.

By: me & my monkey

me & my monkey — Mon, 22 Oct 2007 15:31:21 -0800

It isn't foolproof. You need to go in and use CFQUERYPARAM tags anywhere you accept unvalidated parameters. While using single quotes with CF strings break all of the common SQL injection attacks I've seen in use, it doesn't prevent second-order SQL injection.

By: garius

garius — Tue, 23 Oct 2007 06:56:50 -0800

i'll second what me & my monkey has said. Its important that you always use CFQUERYPARAM tags unless you can 100% confirm that the data in question is never entered by human hand. Even then i'd still do it, just because its easier to make it a "never" situation than a "maybe" if you want to be fully secure.

Also, related to this, don't forget to secure any forms against javascript injection, which is what all the cool kids are into these days.

SQL Injection is sooooooooooo 2004 dahling!