ColdFusion SQL Injection Attack Terror
October 22, 2007 12:24 PM   Subscribe

ColdFusion MX 7 and Microsoft SQL Server 2005. There's a lot of unvalidated parameters in our CFQUERYs. But, I'm told that putting the parameters in single-quotes will prevent injection attacks, because of the way ColdFusion escapes single-quotes. Is this foolproof, or do I have to go in and validate everything with CFQUERYPARAM tags?
posted by East Manitoba Regional Junior Kabaddi Champion '94 to Computers & Internet (3 answers total) 1 user marked this as a favorite
I usually do the o'reilly test- I put o'reilly into every form field, and see if it barfs.

FWIW, this is pretty easy to test- write an input form that puts it's content into a database, put in some bad sql ('-- select * from users where 1=1' , and see if you can retrieve it from the database- if the original SQL is in the field, you're probably ok.
posted by jenkinsEar at 1:22 PM on October 22, 2007

It isn't foolproof. You need to go in and use CFQUERYPARAM tags anywhere you accept unvalidated parameters. While using single quotes with CF strings break all of the common SQL injection attacks I've seen in use, it doesn't prevent second-order SQL injection.
posted by me & my monkey at 3:31 PM on October 22, 2007 [1 favorite]

i'll second what me & my monkey has said. Its important that you always use CFQUERYPARAM tags unless you can 100% confirm that the data in question is never entered by human hand. Even then i'd still do it, just because its easier to make it a "never" situation than a "maybe" if you want to be fully secure.

Also, related to this, don't forget to secure any forms against javascript injection, which is what all the cool kids are into these days.

SQL Injection is sooooooooooo 2004 dahling!
posted by garius at 6:56 AM on October 23, 2007

« Older Can anyone recommend a software oscilloscope...   |   Boo! Now give me those internet residuals, dammit! Newer »
This thread is closed to new comments.