oops... now with new and improved subject line! :) In addition to <cfqueryparam>, on server-side I have been known to use cflib.org's sqlSafe(). http://www.cflib.org/udf.cfm?ID=1219
~Dave On 8/17/05, Matt Woodward <[EMAIL PROTECTED]> wrote: > Personally I take the "whitelist" route as opposed to the "blacklist" > route, which is what it sounds like you're trying to do. I check to > see that the data I'm receiving is the data I'm expecting from a type > standpoint for starters; that way they can't stick SQL commands at the > end of stuff in the URL for example, and if I'm expecting a string > it's not like them putting a drop statement in there is going to do > anything anyway if I insert that into a varchar field. Nothing's > foolproof but in my experience if you know what data you're expecting > and check vigorously for that, and use cfqueryparam, you're pretty > darn safe against sql injection attacks. > > Matt > > On 8/17/05, Kevin Fricke <[EMAIL PROTECTED]> wrote: > > Do ya'll have some good examples of what I should be looking for? I use > > some basic validation methods but nothing fancy. Are there certain > > commands, etc. that I should make sure to validate against? > > > > Thanks, > > > > Kevin > > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > > Behalf Of Matt Woodward > > Sent: Wednesday, August 17, 2005 8:29 PM > > To: [email protected] > > Subject: Re: CFQUERYPARAM alternatives for input validation > > > > > > Short answer in my mind is that you should validate your data even if > > you're using cfqueryparam. That's the only way to guarantee (insofar > > as anything can be guaranteed at any rate) that your data is clean. I > > tend to just use cfqueryparam and validate before I even hit the point > > where I'm sticking stuff in the database. Multiple layers of > > validation on both the client and server sides are necessary for good > > safety. > > > > Matt > > > > On 8/17/05, Conan Saunders <[EMAIL PROTECTED]> wrote: > > > I'd like to know what solutions you are using to prevent SQL > > > injection attacks. I understand that any data fed to a query through > > > CFQUERYPARAM will be validated and properly escaped, so that's a good > > > start. But CFQUERYPARAM has a couple of limitations, aside from the > > > fact that it can sometimes be more cumbersome than just constructing > > > the raw string of SQL: > > > > > > 1) it can't be used in cached queries > > > 2) I'm not totally sure on this, but I don't think it can be used > > > with SQL wildcards, such as: > > > > > > WHERE SomeField LIKE '#StartsWith#%' > > > > > > Link to the livedocs: > > > > > > http://livedocs.macromedia.com/coldfusion/6.1/htmldocs/tags-b20.htm > > > > > > What approaches do you take? I've found two relevant tags, > > > CF_AntiHack and CF_B_InputFilter, but neither one is completely > > satisfactory. > > > > > > The AntiHack tag watches for a list of common attack keywords (DROP > > > TABLE, cmd.exe, etc). A start maybe, but I don't at all feel like > > > it's comprehensive. > > > > > > The InputFilter tag can remove tags from input (might help with XSS > > > but not useful for SQL injection), and filters out "bad" characters > > > and replaces them with spaces. But "bad" characters used for attacks > > > are also good, meaningful characters on a lot of my inputs. I would > > > rather globally escape them so they're safe for SQL input rather than > > > just filtering them out completely. > > > > > > Is the best course to use CFQUERYPARAM wherever possible, and then > > > validate the inputs myself on a case-case-by-case basis for the > > > queries where CFFQUERYPARAM can't be used? > > > > > > Thanks, > > > Conan > > > > > > ---------------------------------------------------------- > > > To post, send email to [email protected] > > > To unsubscribe: > > > http://www.dfwcfug.org/form_MemberUnsubscribe.cfm > > > To subscribe: > > > http://www.dfwcfug.org/form_MemberRegistration.cfm > > > > > > > > > > > > > > > -- > > Matt Woodward > > [EMAIL PROTECTED] > > http://www.mattwoodward.com > > ---------------------------------------------------------- > > To post, send email to [email protected] > > To unsubscribe: > > http://www.dfwcfug.org/form_MemberUnsubscribe.cfm > > To subscribe: > > http://www.dfwcfug.org/form_MemberRegistration.cfm > > > > > > > > > > ---------------------------------------------------------- > > To post, send email to [email protected] > > To unsubscribe: > > http://www.dfwcfug.org/form_MemberUnsubscribe.cfm > > To subscribe: > > http://www.dfwcfug.org/form_MemberRegistration.cfm > > > > > > > > > -- > Matt Woodward > [EMAIL PROTECTED] > http://www.mattwoodward.com > ---------------------------------------------------------- > To post, send email to [email protected] > To unsubscribe: > http://www.dfwcfug.org/form_MemberUnsubscribe.cfm > To subscribe: > http://www.dfwcfug.org/form_MemberRegistration.cfm > > > -- ~Dave Shuck [EMAIL PROTECTED] www.worldwildweb.biz ---------------------------------------------------------- To post, send email to [email protected] To unsubscribe: http://www.dfwcfug.org/form_MemberUnsubscribe.cfm To subscribe: http://www.dfwcfug.org/form_MemberRegistration.cfm
