I'd like to know what solutions you are using to prevent SQL
injection attacks. I understand that any data fed to a query through
CFQUERYPARAM will be validated and properly escaped, so that's a good
start. But CFQUERYPARAM has a couple of limitations, aside from the
fact that it can sometimes be more cumbersome than just constructing
the raw string of SQL:
1) it can't be used in cached queries
2) I'm not totally sure on this, but I don't think it can be used
with SQL wildcards, such as:
WHERE SomeField LIKE '#StartsWith#%'
Link to the livedocs:
http://livedocs.macromedia.com/coldfusion/6.1/htmldocs/tags-b20.htm
What approaches do you take? I've found two relevant tags,
CF_AntiHack and CF_B_InputFilter, but neither one is completely satisfactory.
The AntiHack tag watches for a list of common attack keywords (DROP
TABLE, cmd.exe, etc). A start maybe, but I don't at all feel like
it's comprehensive.
The InputFilter tag can remove tags from input (might help with XSS
but not useful for SQL injection), and filters out "bad" characters
and replaces them with spaces. But "bad" characters used for attacks
are also good, meaningful characters on a lot of my inputs. I would
rather globally escape them so they're safe for SQL input rather than
just filtering them out completely.
Is the best course to use CFQUERYPARAM wherever possible, and then
validate the inputs myself on a case-case-by-case basis for the
queries where CFFQUERYPARAM can't be used?
Thanks,
Conan
----------------------------------------------------------
To post, send email to [email protected]
To unsubscribe:
http://www.dfwcfug.org/form_MemberUnsubscribe.cfm
To subscribe:
http://www.dfwcfug.org/form_MemberRegistration.cfm
