Personally I take the "whitelist" route as opposed to the "blacklist" route, which is what it sounds like you're trying to do. I check to see that the data I'm receiving is the data I'm expecting from a type standpoint for starters; that way they can't stick SQL commands at the end of stuff in the URL for example, and if I'm expecting a string it's not like them putting a drop statement in there is going to do anything anyway if I insert that into a varchar field. Nothing's foolproof but in my experience if you know what data you're expecting and check vigorously for that, and use cfqueryparam, you're pretty darn safe against sql injection attacks.
Matt On 8/17/05, Kevin Fricke <[EMAIL PROTECTED]> wrote: > Do ya'll have some good examples of what I should be looking for? I use > some basic validation methods but nothing fancy. Are there certain > commands, etc. that I should make sure to validate against? > > Thanks, > > Kevin > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Behalf Of Matt Woodward > Sent: Wednesday, August 17, 2005 8:29 PM > To: [email protected] > Subject: Re: CFQUERYPARAM alternatives for input validation > > > Short answer in my mind is that you should validate your data even if > you're using cfqueryparam. That's the only way to guarantee (insofar > as anything can be guaranteed at any rate) that your data is clean. I > tend to just use cfqueryparam and validate before I even hit the point > where I'm sticking stuff in the database. Multiple layers of > validation on both the client and server sides are necessary for good > safety. > > Matt > > On 8/17/05, Conan Saunders <[EMAIL PROTECTED]> wrote: > > I'd like to know what solutions you are using to prevent SQL > > injection attacks. I understand that any data fed to a query through > > CFQUERYPARAM will be validated and properly escaped, so that's a good > > start. But CFQUERYPARAM has a couple of limitations, aside from the > > fact that it can sometimes be more cumbersome than just constructing > > the raw string of SQL: > > > > 1) it can't be used in cached queries > > 2) I'm not totally sure on this, but I don't think it can be used > > with SQL wildcards, such as: > > > > WHERE SomeField LIKE '#StartsWith#%' > > > > Link to the livedocs: > > > > http://livedocs.macromedia.com/coldfusion/6.1/htmldocs/tags-b20.htm > > > > What approaches do you take? I've found two relevant tags, > > CF_AntiHack and CF_B_InputFilter, but neither one is completely > satisfactory. > > > > The AntiHack tag watches for a list of common attack keywords (DROP > > TABLE, cmd.exe, etc). A start maybe, but I don't at all feel like > > it's comprehensive. > > > > The InputFilter tag can remove tags from input (might help with XSS > > but not useful for SQL injection), and filters out "bad" characters > > and replaces them with spaces. But "bad" characters used for attacks > > are also good, meaningful characters on a lot of my inputs. I would > > rather globally escape them so they're safe for SQL input rather than > > just filtering them out completely. > > > > Is the best course to use CFQUERYPARAM wherever possible, and then > > validate the inputs myself on a case-case-by-case basis for the > > queries where CFFQUERYPARAM can't be used? > > > > Thanks, > > Conan > > > > ---------------------------------------------------------- > > To post, send email to [email protected] > > To unsubscribe: > > http://www.dfwcfug.org/form_MemberUnsubscribe.cfm > > To subscribe: > > http://www.dfwcfug.org/form_MemberRegistration.cfm > > > > > > > > > -- > Matt Woodward > [EMAIL PROTECTED] > http://www.mattwoodward.com > ---------------------------------------------------------- > To post, send email to [email protected] > To unsubscribe: > http://www.dfwcfug.org/form_MemberUnsubscribe.cfm > To subscribe: > http://www.dfwcfug.org/form_MemberRegistration.cfm > > > > > ---------------------------------------------------------- > To post, send email to [email protected] > To unsubscribe: > http://www.dfwcfug.org/form_MemberUnsubscribe.cfm > To subscribe: > http://www.dfwcfug.org/form_MemberRegistration.cfm > > > -- Matt Woodward [EMAIL PROTECTED] http://www.mattwoodward.com ---------------------------------------------------------- To post, send email to [email protected] To unsubscribe: http://www.dfwcfug.org/form_MemberUnsubscribe.cfm To subscribe: http://www.dfwcfug.org/form_MemberRegistration.cfm
