Do you think when I am using cfqueryparams for example with numbers like
this is secured?:
SELECT * FROM product WHERE productoid=<cfqueryparam
value="#url.productoid#" cfsqltype="CF_SQL_INTEGER" maxlength="6">
Another example I am thinking worse is with text, I made it like this:
SELECT * FROM item WHERE L3=<cfqueryparam value="#url.L3#"
cfsqltype="CF_SQL_VARCHAR" maxlength="22">
I added maxlength to as more security, with PRODUCTOID it is always 6, and
text no more then 22, do you think this should work to
secure the site?, not talking about permissions to database etc, just about
cfqueryparams.
On Wed, Jul 23, 2008 at 9:48 PM, Mark Kruger <[EMAIL PROTECTED]> wrote:
> Excuse me... But why are you checking script_name and Path_info for "EXEC("
> .... Both of these are generated on the web server - not sent by the
> browser... So I'd be interested to know your reasoning. Also, form elements
> are not part of the "query_string" since they are passed in a form "body"
> container separate from the header.
>
> If you are looking for a stop gap try the isSQLInject function on
> cflib.org
> (and make sure you add declare, cast and exec to the list). I posted a
> snippet on my blog that uses this UDF like so:
>
> <!--- check the URL scope --->
> <cfif isDefined('url')>
> <cfloop collection="#url#" item="uItem">
> <cfif isSQLInject(url[uITem])>
> <Cfabort>
> ... Or whatever action you want.
> </cfif>
> </cfloop>
> </cfif>
> <!--- check the FORM scope --->
> <cfif isDefined('form')>
> <cfloop collection="#form#" item="fItem">
> <cfif isSQLInject(form[fITem])>
> <Cfabort>
> ... Or whatever action you want
> </cfif>
> </cfloop>
> </cfif>
>
> Of course if you use cookies inside of queries, or copy stuff to the
> request
> or attributes scope (a la fusebox 2-3) then you might need additional
> iterations. In my opinion this is a stop gap measure and should not be used
> to 'stand in' for not using bound variables and actual validation routines
> based on the form being submitted or url being fetched. You should still
> redress the issues with your code in spite of measures like this one. In
> addition - looping through available user input scopes can be expensive and
> it can result in false positives. If someone submits a comment in a forum
> that says they are "Casting about for a solution" or that they "declare the
> issue resolved" then these items will be trapped unecessarily by the code
> above. If the vars are properly bound however, they will be safely inserted
> into the DB as part of the comments.
>
> -Mark
>
> =========== here's the modified UDF ===========
>
> <cfscript>
> /**
> * Tests a string, one-dimensional array, or simple struct for possible SQL
> injection.
> *
> * @param input String to check. (Required)
> * @return Returns a boolean.
> * @author Will Vautrain
>
> (vautrain@yaho&
> #111;.com)
> * @version 1, July 1, 2002
> */
>
> function IsSQLInject(input) {
>
> var listSQLInject =
>
> "cast,exec,execute,sp_executeSQL,revoke,grant,select,insert,update,delete,dr
> op,--,'";
> var arraySQLInject = ListToArray(listSQLInject);
> var i = 1;
>
> for(i=1; i lte arrayLen(arraySQLInject); i=i+1) {
> if(findNoCase(arraySQLInject[i], input)) return true;
> }
>
> return false;
> }
> </cfscript>
>
>
>
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309628
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
