> Had some interesting errors in our logs yesterday. It > appears that someone's trying to hack our database by > inserting SQL query language into the URL string. > > We're doing all the standard security measures, including > filtering for single quotes, using database passwords, and > the like, and we locked out their IP immediately. But really, > how do you prevent this? Any ideas/feedback out there?
There are a number of things you can do to address this: 1. Apply a generic input filter to your web server. 2. Validate all data sent to your application. 3. Limit the application's rights to the database. 4. Use stored procedures exclusively. Typically, you should at least do the second and third items listed. The primary issue is one of data validation - making sure that values contain the appropriate datatype, and if they're string values, that they don't contain metacharacters that would allow the execution of code. Another essential item is to limit what rights your application has within the database; typically, your application should only have rights to read and write data. If you use stored procedures exclusively, you can limit the application's rights even further, only allowing it to execute the stored procedures. Note that you can do this entirely within the database: create a login and give it the specified rights, then use that login within your application's datasource. You can also configure the datasource itself to limit rights, which is also good but is no substitute for doing so within the database itself. As mentioned in the first item, you can use an input filter, which is a piece of software you install on your web server. There are several available for IIS, such as Microsoft's free URLScan tool or eEye's SecureIIS: http://www.microsoft.com/technet/security/ http://www.eeye.com/ I'd recommend that you perform data validation within your application in any case, though. These sorts of issues are covered in Fig Leaf Software's "Securing ColdFusion Servers on Windows" one-day seminar, if you're interested in that: http://training.figleaf.com/figleaftraining/Courses/Securing-ColdFusion-Serv ers-on-Windows.cfm I'm also going to talk about input filtering at the CF_NORTH conference, I think: http://www.cfnorth.com/Agenda/CFnorthCore.cfm?page=Topics Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ______________________________________________________________________ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists