> I remember a couple threads about this topic, however, I > never have any luck with the archives. What approaches > have you taken to stop SQL insertion attacks.
As long as you use bind parameters with every SQL statement, you won't have any problems with SQL injection attacks. If you're sending SQL statements from CF, that means using CFQUERYPARAM. An alternative is to use stored procedures, which also separate parameters from the rest of the SQL execution request. However, that will only protect you from SQL injection attacks; it won't protect you against attacks which rely on storing the attack string itself within the database. Cross-site scripting attacks fall into this category. For those, you can filter out everything but a limited character set. > Our current thinking is to check for a set of certain > characters (*,',&, etc) and make the user removes those > characters before submitting a template. One of my > questions regarding this approach is: Can you loop > through each input form field (in javascript? in > coldfusion?) in some sort of array that contains form > variables and ensure all potentially malicious characters > are removed before form submission? What I am trying > to avoid is checking each form field separately and I > would like the code to be portable to many applications, > hopefully in a cfinclude on each page that contains > input fields. Your input/help is greatly appreciated. First, you will absolutely have to do your checking on the server, in CF or within the database itself, not in the browser using JavaScript. The use of JavaScript would not enhance your security one little bit. Second, you'll have to check each form field separately. However, you can simply loop over the Form scope to do this, so you can easily encapsulate your code for this. Finally, if you're using IIS, you might want to take a look at complementing your code with an IIS input filter, which will generally do a pretty good job of handling all sorts of malformed input. You can use the free URLScan from MS, or the SecureIIS product from eEye; both will work fine. There are others on the market also, but I haven't tried them out. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm
