Script protection can also be enabled on an "application" basis. If you are confident that your admin tools are not easily hacked you can have a "public" application with scriptprotect disabled and an admin section with it enabled... this is fairly common when using a CMS.
<cfapplication name="blah" scriptprotect="all" ....> Or in an application.cfc This.scriptprotect= "all"; -Mark Mark A. Kruger, MCSE, CFG (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -----Original Message----- From: Paul Alkema [mailto:[email protected]] Sent: Monday, March 22, 2010 8:56 AM To: cf-talk Subject: RE: ColdFusion SQL Hack I would ensure that every single update / insert on your site is using cfqueryparam's for security sake, however It sounds to me like your issue is not SQL injection.. but more XSS attacks. An XSS attack is where data is inserted into into a page usually via a database input field somewhere which then executes a javascript or other piece of code into a site which can cause users sessions to be hijacked or the user could be simpley redirected, which is what is sounds like this xsser is doing. Dorioo is right on about the fix for this, I would either sanitize all data that a customer has access to input with the htmleditformat() or sanitize the output with htmleditformat(). IE; INSERT INTO users (userId, userName) VALUES ('#form.username#') Should be.. INSERT INTO users (userId, userName) VALUES ('#htmlEditFormat(form.username)#') Another option would be to enable "Global Script Protection" in the settings area of your coldfusion administrator. Doing this will cause you to never have the ability to pass javascript tags and object tags via CGI, FORM and URL variables though, so I would be careful about this global option. Good luck! Paul Alkema AlkemaDesigns.com -----Original Message----- From: Mike Chabot [mailto:[email protected]] Sent: Monday, March 22, 2010 9:25 AM To: cf-talk Subject: Re: Coldfusion SQL Hack The query you wrote is not hackable via SQL injection. No changes need to be made to it. -Mike Chabot On Mon, Mar 22, 2010 at 7:04 AM, Anthony Doherty <[email protected]> wrote: > > I have a site page that is only using the query below and the site keeps getting hit by SQL hacks. I have looked through every SQL query and all the queries are using <cfqueryparam value="#URL.???#" cfsqltype="cf_sql_numeric"> so they cant be hacked. > > Can someone explain how I can amend this query so its not hackable?? > > <cfquery name="RS1" datasource="DS1"> > SELECT FEEDBACK.ID, FEEDBACK.FEEDBACK, FEEDBACK.LEFT_BY, County.County, County.ID > FROM FEEDBACK INNER JOIN > County ON (FEEDBACK.COUNTY = County.ID) > </cfquery> > > Thanks > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:331943 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
