Hey all,
I just received this email that is generated when there is an error on a site I
built (www.woreitonce.com)
---E-MAIL
Invalid data 1 and 1=convert(int,(select top 1 char(97)+admin_password from
tbl_adminusers)) for CFSQLTYPE
You can't prevent people from trying but you can code to prevent it from
messing with your database. Make sure you are using cfqueryparam every
place you can or use Stored Procs.
Rick King wrote:
Hey all,
I just received this email that is generated when there is an error on a site
I
On Monday 06 Aug 2007, [EMAIL PROTECTED] wrote:
Is this a SQL injection attack?
Yes.
Anything I can do?
Beyond the obvious ? No - it's a fact of life that internet visible sites will
be attacked.
You're using cfqueryparam by the looks of it, and that'll take care of most
kidz.
--
Tom
I am using cfqueryparam, so hopefully that'll be good enough.
Thanks
On Monday 06 Aug 2007, [EMAIL PROTECTED] wrote:
Is this a SQL injection attack?
Yes.
Anything I can do?
Beyond the obvious ? No - it's a fact of life that internet visible
sites will
be attacked.
You're using
Looks that way.
Rey
Rick King wrote:
Hey all,
I just received this email that is generated when there is an error on a site
I built (www.woreitonce.com)
---E-MAIL
Invalid data 1 and 1=convert(int,(select top 1 char(97)+admin_password
Sorry didn't see your question at the bottom. One thing that will
definitely help is using CFQUERYPARAM to enforce datatype checks on your
conditional statements.
http://livedocs.adobe.com/coldfusion/6.1/htmldocs/tags-b20.htm
Also, consider writing code that will strip out certain commands
---E-MAIL
Invalid data 1 and 1=convert(int,(select top 1
char(97)+admin_password from tbl_adminusers)) for CFSQLTYPE
CF_SQL_INTEGER. brThe error occurred on line 30.
-E-MAIL
Is this a SQL
-Original Message-
From: Rick King [mailto:[EMAIL PROTECTED]
Sent: Monday, August 06, 2007 11:56 AM
Subject: SQL injection hack?
/Details.cfm
ProdID=1%20and%201=convert(int,(select%20top%201%20char(97)
%2badmin_password%20from%20tbl_adminusers))
IsNumeric and cfqueryparam
Just an FYI to everyone else i've been at my current post for 3 years
and we've had pro-active error monitoring (versus re reactive hey my
site doesn't work) now for close to 2 years.
Just in the recent weeks we started seeing basic SQL injection hacks
on site we host. We never saw anything like
Great info guys, thanks.
~|
Get the answers you are looking for on the ColdFusion Labs
Forum direct from active programmers and developers.
http://www.adobe.com/cfusion/webforums/forum/categories.cfm?forumid-72catid=648
Just in the recent weeks we started seeing basic SQL injection hacks
on site we host.
Yes, I see more and more of these on my sites too.
Of course, they cause an error thanks to CFQUERYPARAM, but they are
filling my error log table
with useless information.
So I'm planning to detect them
on for my DB objects and turn it off
where I feel it's not necessary.
Paul
-Original Message-
From: jonese [mailto:[EMAIL PROTECTED]
Sent: 06 August 2007 16:25
To: CF-Talk
Subject: Re: SQL injection hack?
Just an FYI to everyone else i've been at my current post for 3 years
and we've
[mailto:[EMAIL PROTECTED]
Sent: Monday, August 06, 2007 12:01 PM
To: CF-Talk
Subject: RE: SQL injection hack?
We've been seeing the exact same thing, basic SQL injection attacks all
originating from China... It looks automated as they've spidered several
sites we host using the exact same technique
In CF 8 it's worth noting that the type checking can be turned off for
performance gains. I guess this is a trade off...
IMO, it is not only a trade off, it's kind of stupid...
Where do you need performance? On the production server, but it is also
there that
you need security.
One could
Thanks John...this is a great checklist.
-Original Message-
From: John Mason [mailto:[EMAIL PROTECTED]
Sent: Monday, August 06, 2007 12:25 PM
To: CF-Talk
Subject: RE: SQL injection hack?
You'll also see these automated scripts hitting other services like ftp,
email, etc. You need
PM
To: CF-Talk
Subject: RE: SQL injection hack?
Thanks John...this is a great checklist.
-Original Message-
From: John Mason [mailto:[EMAIL PROTECTED]
Sent: Monday, August 06, 2007 12:25 PM
To: CF-Talk
Subject: RE: SQL injection hack?
You'll also see these automated scripts hitting other
Someone might have to test this out, but my cf8 admin only let's me
disable the CFC Type Check (so it says), so cfqueryparam
wouldn't/shouldn't be affected by this.
Steve Cutter Blades
Adobe Certified Professional
Advanced Macromedia ColdFusion MX 7 Developer
_
Looks like using the Val() function did the trick.
No more errors being generated :)
Thanks
Rick
~|
Create robust enterprise, web RIAs.
Upgrade to ColdFusion 8 and integrate with Adobe Flex
18 matches
Mail list logo