Uh.. Raymond's email is better. I wrote this before I received his, as I've
had work to do I only now found Raymond's email. I've emailed anyway, as
while somethings overlap, there is a bit more specific information on the
topic of server side validation.
Examine how you treat the URL/FORM parameters used in queries.
When using integers (eg. referencing a primary key of integer type) make
sure they really are numeric (use isNumeric(blah) instead of <cfparam
name="blah" type="numeric"> as 0a to 23a and 0p to 23p are regarded as
numeric by cfparam)
When using other data types, make sure they are validated *on recieving* in
some way (eg. just before you do the cfquery).
If you ever use PreserveSingleQuotes, make sure any string passed by
URL/FORM your using has had it's single quotes manipulated (eg.
replace(url.title, "'", "''", "all")
Don't receive column/table names via the URL/FORM variables, unless you have
something to check them against. eg. You have a list of available tables
hard-coded and you check that url.table is in that list.
Ideally, you want only values (eg. 'henry', 31, 1323) passed in URL/FORM
variables. Less work, as you don't have to check validity as much. ;-)
Of course, to generalise all this:
"Check all variables that are to be used exist and are valid for there use
before running your Query"
now ask, should that person, though the query is safe, have been allowed to
do that query? ;-)
----- Original Message -----
From: "Pooh Bear" <[EMAIL PROTECTED]>
To: "CF-Talk" <[EMAIL PROTECTED]>
Sent: Wednesday, May 23, 2001 12:16 PM
Subject: RE: Compromising Security
but my DB isn't located in some folder, it's a SQL server DB, not an access
file.
>From: "Peter Tilbrook" <[EMAIL PROTECTED]>
>Reply-To: [EMAIL PROTECTED]
>To: CF-Talk <[EMAIL PROTECTED]>
>Subject: RE: Compromising Security
>Date: Wed, 23 May 2001 11:56:50 +1000
>
>The first thing you should do is store your databases in a folder that is
>not accessible from the Internet (out of your web root). For example:
>
>Your websites could be in c:\inetpub\wwwroot\mywebsite\
>
>But you should store the databases somewhere else, eg:
>
>c:\datasources\
>
>Secure this directory and update CF Administrator to look here for
>datasources instead. Don't think your databases have to be physically
>within
>your web site for CF to access them.
>
>-----Original Message-----
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED]]On Behalf Of Pooh Bear
>Sent: Wednesday, 23 May, 2001 2:28 AM
>To: CF-Talk
>Subject: Compromising Security
>
>
>hey, I was wondering what are the least amount of information someone needs
>to compromise my database or code? I am.....err..."hacking?" my
>site/database through the URL. So far, I've got 2 tablenames, the
>datasource, and some field names. I dont want to have to do a lot of
>coding
>to prevent this from being seen by someone else, but i will if have to, but
>first i want to know if anyone could do anything with this much
>information.
> Thanx! :)
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
