|
We use a very simple approach that has worked extremely well for us.
In the application.cfm page we check the cgi.query_string for "CAST("
or "EXEC(" as well as the form variables. If we find those, we
<cfabort> or run some kind of handler. If you wanted to get
fancy you could add a by-pass variable with a certain algorithm, but so
far we've not needed anything like that. This approach saves tons of time trying to modify countless pages and discovering you missed one. It may not work for everyone but it has worked for us. Good luck! -James John Bliss wrote: Is cfprocparam any better than cfqueryparam? On Oct 1, 1:25 pm, Shane Heasley <[EMAIL PROTECTED]> wrote:I recently posted the below on a CF forum in response to a question about how to avoid SQL injection attacks:If you can limit form field entries to alphas and numbers only then you are pretty safe. <cfset someFormField =REReplaceNoCase (form.comments, '[^a-z0-9]', '', 'all')> When you allow special characters then the risks skyrocket. Don't forget any field is open to attack - hidden form fields, drop lists, password fields (many forget those). You need to use cfqueryparam, htmledit format, and you need to limit extended characters unless you have no choice. If you allow special characters then you need to use some of the bad string removal functions available at cflib. Just keep in mind those functions get dated and were probably not 100% effective even when first written. In response, another forum member posted this link which I think is worth sharing. It just goes to show how difficult it is at present to stop SQL injection attacks when the input string cannot be character limited. http://blog.ninanet.com/blog1.php/2008/08/22/sql-injection-attacks-no... Anyone here have any suggestions other than limiting the character set or "trying" to identify and remove attack strings? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the "Houston ColdFusion Users' Group" discussion list. To unsubscribe, send email to [EMAIL PROTECTED] For more options, visit http://groups.google.com/group/houcfug?hl=en -~----------~----~----~----~------~----~------~--~--- |
- [houcfug] SQL Injection Attacks Shane Heasley
- [houcfug] Re: SQL Injection Attacks John Bliss
- [houcfug] Re: SQL Injection Attacks James Dismukes
- [houcfug] Re: SQL Injection Attacks Aaron Rouse
- [houcfug] Re: SQL Injection Attacks Shane Heasley
