> I've considered this. I am not sure how Stored Procs > handle the > parameters. Aren't Stored Procs still using SQL > statements in the end?
Yes they are... however... A sql-injection attack depends on the ability of the driver to handle multiple sql statements in a single cfquery call... which some drivers do and some drivers don't... afaik typically it requires a ; to separate statements, so the attack string must include a ; fairly close to the beginning of the attack string... If you look at the syntax of a stored procedure call, what happens if the stored procedure doesn't get all the parameters it needs is the stored procedure errors, and usually, the remainder of the attack string isn't executed as a result... You can take this a step further by using the cfstoredproc tag which completely eliminates the possibility of a sql injection attack by providing all of the parameters to the procedure via cfprocparam and thereby providing no sql string to receive the injection. There's a problem with cfstoredproc in that the dbvarname attribute of the cfprocparam has no mechanical function. It was originally supposed to pass the variable by name to the stored procedure, but it doesn't, so your parameters have to be passed in the same order they're specified in the procedure definition. To get around this I put all my cfstoredproc tags in a /dba/ directory and then run them all as custom tags -- on cfmx you could use functions to do this. In any event, the custom tag ensures that all calls to that procedure pass the parameters in the same order and then I just use the tag attributes to name the parameters. I forwarded some of the code I use to accomplish this to Justin Knowlton recently and he seemed pretty happy with it. If you're interrested, let me know and I'll forward the same stuff over your direction. > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Bruce Sorge > Sent: Thursday, May 29, 2003 10:11 AM > To: [EMAIL PROTECTED] > Subject: Re: SQL Injection > How about using only Stored Procedures? > ----- Original Message ----- > From: "derek bumpas" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Thursday, May 29, 2003 10:02 AM > Subject: SQL Injection >> >> Hi all, >> >> I would like to know how most of you are protecting >> against malicious >> users and checking for various attacks. I am most >> interested in >> protecting against SQL Injection. Most of the examples >> and code >> snippets that I have seen on both Macromedia and other >> sites don't >> seem to have ANY protection against this type of attack. >> >> The CFQUERYPARAM tag can help if used correctly, but >> what are some >> other techniques being used? >> >> Thanks, >> derek >> >> ----------------------------------------------- >> To post, send email to [EMAIL PROTECTED] >> To unsubscribe: >> Send UNSUBSCRIBE to [EMAIL PROTECTED] >> To subscribe / unsubscribe: http://www.dfwcfug.org >> >> > ----------------------------------------------- > To post, send email to [EMAIL PROTECTED] > To unsubscribe: > Send UNSUBSCRIBE to [EMAIL PROTECTED] > To subscribe / unsubscribe: http://www.dfwcfug.org > ----------------------------------------------- > To post, send email to [EMAIL PROTECTED] > To unsubscribe: > Send UNSUBSCRIBE to [EMAIL PROTECTED] > To subscribe / unsubscribe: http://www.dfwcfug.org s. isaac dealey 972-490-6624 new epoch http://www.turnkey.to lead architect, tapestry cms http://products.turnkey.to tapestry api is opensource http://www.turnkey.to/tapi certified advanced coldfusion 5 developer http://www.macromedia.com/v1/handlers/index.cfm?ID=21816 ----------------------------------------------- To post, send email to [EMAIL PROTECTED] To unsubscribe: Send UNSUBSCRIBE to [EMAIL PROTECTED] To subscribe / unsubscribe: http://www.dfwcfug.org
