Using CFQUERYPARAM will secure your DB calls. That doesn't mean you don't have other problems. But it does mean that executing arbitrary code against the DB using user inputs (form, url, cookie) is no longer possible. When the system sees something like "<cfqueryparam type="CF_SQL_CHAR" value="blah; drop table foo"/> it will bind those characters to a variable of the type "char". Unless you are subsequently executing that char string as dynamic SQL somewhere (like in an SP) you are from damage to the DB. Of course there are plenty of other things to worry about :)
-Mark Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -----Original Message----- From: Radek Valachovic [mailto:[EMAIL PROTECTED] Sent: Thursday, July 24, 2008 12:12 PM To: CF-Talk Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... Do you think when I am using cfqueryparams for example with numbers like this is secured?: SELECT * FROM product WHERE productoid=<cfqueryparam value="#url.productoid#" cfsqltype="CF_SQL_INTEGER" maxlength="6"> Another example I am thinking worse is with text, I made it like this: SELECT * FROM item WHERE L3=<cfqueryparam value="#url.L3#" cfsqltype="CF_SQL_VARCHAR" maxlength="22"> I added maxlength to as more security, with PRODUCTOID it is always 6, and text no more then 22, do you think this should work to secure the site?, not talking about permissions to database etc, just about cfqueryparams. On Wed, Jul 23, 2008 at 9:48 PM, Mark Kruger <[EMAIL PROTECTED]> wrote: > Excuse me... But why are you checking script_name and Path_info for "EXEC(" > .... Both of these are generated on the web server - not sent by the > browser... So I'd be interested to know your reasoning. Also, form > elements are not part of the "query_string" since they are passed in a form "body" > container separate from the header. > > If you are looking for a stop gap try the isSQLInject function on > cflib.org (and make sure you add declare, cast and exec to the list). > I posted a snippet on my blog that uses this UDF like so: > > <!--- check the URL scope ---> > <cfif isDefined('url')> > <cfloop collection="#url#" item="uItem"> > <cfif isSQLInject(url[uITem])> > <Cfabort> > ... Or whatever action you want. > </cfif> > </cfloop> > </cfif> > <!--- check the FORM scope ---> > <cfif isDefined('form')> > <cfloop collection="#form#" item="fItem"> > <cfif isSQLInject(form[fITem])> > <Cfabort> > ... Or whatever action you want > </cfif> > </cfloop> > </cfif> > > Of course if you use cookies inside of queries, or copy stuff to the > request or attributes scope (a la fusebox 2-3) then you might need > additional iterations. In my opinion this is a stop gap measure and > should not be used to 'stand in' for not using bound variables and > actual validation routines based on the form being submitted or url > being fetched. You should still redress the issues with your code in > spite of measures like this one. In addition - looping through > available user input scopes can be expensive and it can result in > false positives. If someone submits a comment in a forum that says > they are "Casting about for a solution" or that they "declare the > issue resolved" then these items will be trapped unecessarily by the > code above. If the vars are properly bound however, they will be > safely inserted into the DB as part of the comments. > > -Mark > > =========== here's the modified UDF =========== > > <cfscript> > /** > * Tests a string, one-dimensional array, or simple struct for > possible SQL injection. > * > * @param input String to check. (Required) > * @return Returns a boolean. > * @author Will Vautrain > > (vautrain@yah& > #111;& > #111;.com) > * @version 1, July 1, 2002 > */ > > function IsSQLInject(input) { > > var listSQLInject = > > "cast,exec,execute,sp_executeSQL,revoke,grant,select,insert,update,del > ete,dr > op,--,'"; > var arraySQLInject = ListToArray(listSQLInject); > var i = 1; > > for(i=1; i lte arrayLen(arraySQLInject); i=i+1) { > if(findNoCase(arraySQLInject[i], input)) return true; > } > > return false; > } > </cfscript> > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309631 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
