>> CFQUERYPARAM creates a prepared statement
>> containing bound parameters.
Just because some of you might find this fun and slightly related to the
above...
I'm working on a Congressional site at the moment, and Coldfusion is
*very* poorly supported to start with. The "official house supported"
version is CF5, so I'm having to rewrite most of my carefully crafted
snippets and reusable code chunks.
Anyway, once you're logged onto the house network and posted your files,
they have to go through a "security scan" before they can go live. The
scan doesn't take cfqueryparam into consideration at all, so my first
scan of a dynamic page generated about 5 pages worth of "failed" reports
that looked like:
ScanDo included the ' (apostrophe) character in the parameter value. The
server's reply indicates that the parameter is vulnerable to
manipulation using SQL symbols.
1)High Severity
URL: mypage-detail.cfm?id=97'
Solution: Make sure parameter values sent by remote users do not include
SQL commands or symbols. Validate and sanitize every user variable
passed to the database. Check that the input has the expected data type.
Never pass unchecked user-input to database-queries.
Basically, the scan program tries about every SQL Injection trick known
to man, and if you fail one of them, you don't go live. All my carefully
written queries using cfqueryparam meant nothing. Pfffftttt!
So, for every single variable passed to a query, about the only way to
pass the security scan was to do this:
<cfif IsDefined("fname") and (findoneof("!<[^>]+%>!=",fname,1) NEQ 0)>
<cfabort>
Sheesh.....
But, this presents a HUGE problem. The client has requested an admin
section to update content on certain pages. So, a simple <p> tag which
needs to get passed will trigger the cfabort above. ACK!
I'm glad I'm getting paid well for this....
More later once I've got it all figured out on how to give the client
what they want but pass all the required BS needed to get stuff
approved, including the "Secret Squirrel Security Code Generator" that
we've now got that display a security code to login into the house
private network that changes every 60 seconds. This is fun stuff...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Message: http://www.houseoffusion.com/lists.cfm/link=i:4:230686
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
