I haven't used this tag, but did write an in-house UDF that is called in Application.cfm. It simply loops through all form, url, and cookie parameters and replaces a single quote with chr(96) (hope I got that right), and strips HTML tags. It would be very easy to change this to also strip out semi-colons. The logic/code required is very simple to do. There's a few samples of stuff like this at www.cflib.org.
This is a filtering method, and may not catch everything, but with this, and our use of stored procs where we can, and CFQUERYPARAM, I don't think we are open to this attack. hmmm... I better go test that to be sure.... <grins> Shawn Grover -----Original Message----- From: Brian Scandale [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 10:53 AM To: CF-Talk Subject: Re: Preventing SQL injection attacks...? There is a custom tag... <cf_formfilter> on the developers exchange that I've been using... It searches the caller.form.fieldnames structure looking for all sorts of nasty includes. After just reading it again I think I can also make it filter url submitted input as well. Anyone here use or have comments on this tags limitations? Was an easy first step for me but I am suddenly worried about url hacks as well. Brian At 08:17 AM 4/12/02 -0700, you wrote: >Hi all, > >Had some interesting errors in our logs yesterday. It appears that someone's >trying to hack our database by inserting SQL query language into the URL >string. > >We're doing all the standard security measures, including filtering for >single quotes, using database passwords, and the like, and we locked out >their IP immediately. But really, how do you prevent this? Any >ideas/feedback out there? > >Ian > >Portent Interactive >Helping clients build customer relationships on the web since 1995 >Consulting, design, development, measurement >http://www.portentinteractive.com > > ______________________________________________________________________ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
