A huge thread was on this subject about a month ago on CF-Talk. I believe
some custom tags were even provided that do checks similar to this, not sure
what all they did since I only hazed over the thread when it happened.
On Thu, Oct 2, 2008 at 9:35 AM, James Dismukes <[EMAIL PROTECTED]>wrote:
> We use a very simple approach that has worked extremely well for us. In
> the application.cfm page we check the cgi.query_string for "CAST(" or
> "EXEC(" as well as the form variables. If we find those, we <cfabort> or
> run some kind of handler. If you wanted to get fancy you could add a
> by-pass variable with a certain algorithm, but so far we've not needed
> anything like that.
>
> This approach saves tons of time trying to modify countless pages and
> discovering you missed one. It may not work for everyone but it has worked
> for us.
>
> Good luck!
> -James
>
>
>
> John Bliss wrote:
>
> Is cfprocparam any better than cfqueryparam?
>
> On Oct 1, 1:25 pm, Shane Heasley <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
> wrote:
>
>
> I recently posted the below on a CF forum in response to a question
> about how to avoid SQL injection attacks:
>
> If you can limit form field entries to alphas and numbers only then
> you are pretty safe.
>
> <cfset someFormField =REReplaceNoCase (form.comments, '[^a-z0-9]', '',
> 'all')>
>
> When you allow special characters then the risks skyrocket. Don't
> forget any field is open to attack - hidden form fields, drop lists,
> password fields (many forget those).
>
> You need to use cfqueryparam, htmledit format, and you need to limit
> extended characters unless you have no choice. If you allow special
> characters then you need to use some of the bad string removal
> functions available at cflib. Just keep in mind those functions get
> dated and were probably not 100% effective even when first written.
>
> In response, another forum member posted this link which I think is
> worth sharing. It just goes to show how difficult it is at present to
> stop SQL injection attacks when the input string cannot be character
> limited.
> http://blog.ninanet.com/blog1.php/2008/08/22/sql-injection-attacks-no...
>
> Anyone here have any suggestions other than limiting the character set
> or "trying" to identify and remove attack strings?
>
>
>
> >
>
--
Aaron Rouse
http://www.happyhacker.com/
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the "Houston ColdFusion
Users' Group" discussion list.
To unsubscribe, send email to [EMAIL PROTECTED]
For more options, visit http://groups.google.com/group/houcfug?hl=en
-~----------~----~----~----~------~----~------~--~---
