Do ya'll have some good examples of what I should be looking for? I use some basic validation methods but nothing fancy. Are there certain commands, etc. that I should make sure to validate against?
Thanks, Kevin -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Matt Woodward Sent: Wednesday, August 17, 2005 8:29 PM To: [email protected] Subject: Re: CFQUERYPARAM alternatives for input validation Short answer in my mind is that you should validate your data even if you're using cfqueryparam. That's the only way to guarantee (insofar as anything can be guaranteed at any rate) that your data is clean. I tend to just use cfqueryparam and validate before I even hit the point where I'm sticking stuff in the database. Multiple layers of validation on both the client and server sides are necessary for good safety. Matt On 8/17/05, Conan Saunders <[EMAIL PROTECTED]> wrote: > I'd like to know what solutions you are using to prevent SQL > injection attacks. I understand that any data fed to a query through > CFQUERYPARAM will be validated and properly escaped, so that's a good > start. But CFQUERYPARAM has a couple of limitations, aside from the > fact that it can sometimes be more cumbersome than just constructing > the raw string of SQL: > > 1) it can't be used in cached queries > 2) I'm not totally sure on this, but I don't think it can be used > with SQL wildcards, such as: > > WHERE SomeField LIKE '#StartsWith#%' > > Link to the livedocs: > > http://livedocs.macromedia.com/coldfusion/6.1/htmldocs/tags-b20.htm > > What approaches do you take? I've found two relevant tags, > CF_AntiHack and CF_B_InputFilter, but neither one is completely satisfactory. > > The AntiHack tag watches for a list of common attack keywords (DROP > TABLE, cmd.exe, etc). A start maybe, but I don't at all feel like > it's comprehensive. > > The InputFilter tag can remove tags from input (might help with XSS > but not useful for SQL injection), and filters out "bad" characters > and replaces them with spaces. But "bad" characters used for attacks > are also good, meaningful characters on a lot of my inputs. I would > rather globally escape them so they're safe for SQL input rather than > just filtering them out completely. > > Is the best course to use CFQUERYPARAM wherever possible, and then > validate the inputs myself on a case-case-by-case basis for the > queries where CFFQUERYPARAM can't be used? > > Thanks, > Conan > > ---------------------------------------------------------- > To post, send email to [email protected] > To unsubscribe: > http://www.dfwcfug.org/form_MemberUnsubscribe.cfm > To subscribe: > http://www.dfwcfug.org/form_MemberRegistration.cfm > > > -- Matt Woodward [EMAIL PROTECTED] http://www.mattwoodward.com ---------------------------------------------------------- To post, send email to [email protected] To unsubscribe: http://www.dfwcfug.org/form_MemberUnsubscribe.cfm To subscribe: http://www.dfwcfug.org/form_MemberRegistration.cfm ---------------------------------------------------------- To post, send email to [email protected] To unsubscribe: http://www.dfwcfug.org/form_MemberUnsubscribe.cfm To subscribe: http://www.dfwcfug.org/form_MemberRegistration.cfm
