RE: Preventing SQL injection attacks...?
> Is CFID and CFTOKEN vulnerable to this if they are stored as > COOKIES and you are using a DB to store client variables? > > Since I assume you could easily modify the CFID and CFTOKEN > in your cookie file that browser maintains. To be honest, I don't really know what the exact SQL is that's sent by CF to the database in this case. You might want to trace SQL queries to find out. In any case, the way I've avoided worrying about this in the past is to simply limit the rights of the CF user in the database so that it can't do anything but touch those two tables. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 __ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Preventing SQL injection attacks...?
> "One of my favorites is the use of the SQL Server system stored > procedure xp_cmdshell to open a command shell, which can be used to > fetch a file from an attacker's FTP server and run it." > > I always knew Dave was a cracker (not hacker!) extraordinaire :-) Oh, hardly. I didn't discover it myself, I've never used it without explicit permission in order to demonstrate a vulnerability to a client, and I couldn't find a buffer overflow to save my life, due to my poor C/assembler/disassembler skills. Seriously, though, it's unfortunate but true that if you're in the business of developing and deploying open network applications, you have to be aware of the security implications and requirements. It's been my experience that very few people pay adequate attention to this until it's too late. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 __ Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Preventing SQL injection attacks...?
> why not just use cfqueryparam, it validates and it makes your > sql code run faster??? While using CFQUERYPARAM can provide better performance than not using it, certain platforms will benefit more from stored procedures than from prepared statements - SQL Server, for example. On the other hand, I've been told that in many cases Oracle benefits more from prepared statements than from stored procedures, so I guess you have to know what will perform best on your platform. However, from a security perspective, stored procedures provide more than simple data validation. If you use stored procedures exclusively, you can limit access from the application to only those stored procedures, which prevents an attacker from running any query other than those you've written yourself as stored procedures. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 __ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: RE: Preventing SQL injection attacks...?
> This code would fail my own code review. I don't allow any > "url." or "form." variables inside CFQUERY statements. This, > however, might pass. > > > >"[*,;^>:?<|\]", "" , "ALL" )))#> > > > > > > > update people > set updated = '#dateformat(now(), "MM/DD/")#' > where peopleid = cfsqltype="cf_sql_integer"> > > > (Note: I am not using CFQueryParam here as a validation tool. > I already know the variable is an integer. This query is from > a header and will fire every page load so I want successive > queries to run from cache on the Database server.) While it's better in this case to be too cautious, rather than not cautious enough, you're really doing more work here than is necessary. If you want to ensure that something is an integer, you can just use IsNumeric or the CFPARAM tag, if you want to do that before you attempt to execute the query. I agree with you that the validation should take place before the query, since that way you can respond appropriately without having to put exception handlers throughout your code. Also, you'd be better off not running the query if the variable isn't defined beforehand, rather than initializing the variable and running the query even though you won't return any results. Also, there's nothing wrong with referencing the URL or Form scope within a CFQUERY or CFSTOREDPROC, as long as you've validated the appropriate variables within that scope. Remember, these scopes are writable, they're not just read-only. Personally, I'd prefer sticking with the original variables, if for no other reason than general readability. Finally, you can simplify and "clean up" your code slightly by removing the unnecessary hashes and comparisons: Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 __ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: RE: RE: Preventing SQL injection attacks...?
> i will have to take your word for it since i have probably > never use cfquery param, nor intend to. i personally always > use stored procedures and i do all of my validation myself. > if cfqueryparam works for you, then use it and god bless. i > have been taught differently and personally i don't think i > would trust it. The validation done by creating a prepared statement is, as far as I can tell, identical to that done within a stored procedure. When you use CFQUERYPARAM, you're creating a prepared statement; the CFQUERYPARAM itself is what you might call a "bound parameter" to that statement. In any case, never say never, as you may not be able to guarantee that you'll always have the freedom to dictate whether you'll use stored procedures. You may, for example, work against a database in which you don't have rights to create stored procedures, or you may work against a database that doesn't support the use of stored procedures. At that time, you'll need to deal with validation elsewhere. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 __ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: RE: RE: RE: Preventing SQL injection attacks...?
I myself use SP's whenever possible (there are times when this isn't possible). However, it's beneficial to correctly outline what does, for those people on the list that should be using . - Original Message - From: [EMAIL PROTECTED] Date: Friday, April 12, 2002 2:03 pm Subject: RE: RE: RE: Preventing SQL injection attacks...? > i will have to take your word for it since i have probably never > use cfquery > param, nor intend to. i personally always use stored procedures > and i do all > of my validation myself. if cfqueryparam works for you, then use > it and god > bless. i have been taught differently and personally i don't think > i would > trust it. > > Anthony Petruzzi > Webmaster > 954-321-4703 > [EMAIL PROTECTED] > http://www.sheriff.org > > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Friday, April 12, 2002 3:24 PM > To: CF-Talk > Subject: Re: RE: RE: Preventing SQL injection attacks...? > > > No, it won't. > > It'll produce the SQL equivalent of: > > select * from mytable where username = 'tony ''drop table > tablename --' > > - Original Message - > From: [EMAIL PROTECTED] > Date: Friday, April 12, 2002 11:46 am > Subject: RE: RE: Preventing SQL injection attacks...? > > > still. if i had the value > > > > tony ' drop table tablename-- > > > > and a cfqueryparam with a type of CF_SQL_VARCHAR > > > > it would still pass in the value as such > > > > select * from mytable where username = 'tony ' drop table > > tablename--' > > > > which would cause the table to be dropped. > > > > > > Anthony Petruzzi > > Webmaster > > 954-321-4703 > > [EMAIL PROTECTED] > > http://www.sheriff.org > > > > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > > Sent: Friday, April 12, 2002 1:45 PM > > To: CF-Talk > > Subject: Re: RE: Preventing SQL injection attacks...? > > > > > > does in fact prevent that code from running. > > creates a prepared statement with parameters. It > > then > > compares what you've entered as a value with the datatype you've > > specified and, if successful, binds the parameters with what > > you've > > entered. So, if you entered: > > > > select * from table where id = > cfsqltype="CF_SQL_DECIMAL"> > > > > and then in your url entered: id=12;drop table yourtable > > > > It would through you an error. > > > > As well, if you had: > > > > select * from table where id = > cfsqltype="CF_SQL_VARCHAR"> > > > > It would create the equivalent SQL statement of: > > > > select * from table where id = '12;drop table yourtable' > > > > - Original Message - > > From: [EMAIL PROTECTED] > > Date: Friday, April 12, 2002 11:00 am > > Subject: RE: Preventing SQL injection attacks...? > > > > > let's say you have a text field that is 100 characters long. > you > > > can still > > > get a "drop table tablename" appended to the sql statement or > > > write an > > > entire sql statment. Cfqueryparam was meant to speed up > cfquery, > > > not be to a > > > cure all. > > > > > > Anthony Petruzzi > > > Webmaster > > > 954-321-4703 > > > [EMAIL PROTECTED] > > > http://www.sheriff.org > > > > > > > > > -Original Message- > > > From: Zac Spitzer [mailto:[EMAIL PROTECTED]] > > > Sent: Friday, April 12, 2002 1:06 PM > > > To: CF-Talk > > > Subject: Re: Preventing SQL injection attacks...? > > > > > > > > > [EMAIL PROTECTED] wrote: > > > > > > >you can't forget that form fields also play a part in this. > > after > > > reading>the informaiton provided in jeff's link, it did shine > a > > > light. although i > > > >have been taught from the beginning to always use val() > around > > > numberic>values (thank Adam) and to use regex to validate text > > > input (props > > > Raymond). > > > >if your anal and take the time to make sure that the > > information that > > > people > > > >are passing you is in the extact fomrat you want, you > shouldn't > > > have a > > > >problem. also, don't rely on javascript, i always do server- > > side > > > validation>even after client side, just to make certain. i > even > > go > > > as far as putting > > > as > > > >much validation as i can into my stored procedures and > > triggers. > > > although>SQL server doesn't support regular expressions , > which > > > sucks! anyone know a > > > >way it could? > > > > > > > why not just use cfqueryparam, it validates and it makes your > > sql > > > code > > > run faster??? > > > > > > > > > > > > > > > __ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: RE: RE: Preventing SQL injection attacks...?
i will have to take your word for it since i have probably never use cfquery param, nor intend to. i personally always use stored procedures and i do all of my validation myself. if cfqueryparam works for you, then use it and god bless. i have been taught differently and personally i don't think i would trust it. Anthony Petruzzi Webmaster 954-321-4703 [EMAIL PROTECTED] http://www.sheriff.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 3:24 PM To: CF-Talk Subject: Re: RE: RE: Preventing SQL injection attacks...? No, it won't. It'll produce the SQL equivalent of: select * from mytable where username = 'tony ''drop table tablename --' - Original Message - From: [EMAIL PROTECTED] Date: Friday, April 12, 2002 11:46 am Subject: RE: RE: Preventing SQL injection attacks...? > still. if i had the value > > tony ' drop table tablename-- > > and a cfqueryparam with a type of CF_SQL_VARCHAR > > it would still pass in the value as such > > select * from mytable where username = 'tony ' drop table > tablename--' > > which would cause the table to be dropped. > > > Anthony Petruzzi > Webmaster > 954-321-4703 > [EMAIL PROTECTED] > http://www.sheriff.org > > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Friday, April 12, 2002 1:45 PM > To: CF-Talk > Subject: Re: RE: Preventing SQL injection attacks...? > > > does in fact prevent that code from running. > creates a prepared statement with parameters. It > then > compares what you've entered as a value with the datatype you've > specified and, if successful, binds the parameters with what > you've > entered. So, if you entered: > > select * from table where id = cfsqltype="CF_SQL_DECIMAL"> > > and then in your url entered: id=12;drop table yourtable > > It would through you an error. > > As well, if you had: > > select * from table where id = cfsqltype="CF_SQL_VARCHAR"> > > It would create the equivalent SQL statement of: > > select * from table where id = '12;drop table yourtable' > > - Original Message - > From: [EMAIL PROTECTED] > Date: Friday, April 12, 2002 11:00 am > Subject: RE: Preventing SQL injection attacks...? > > > let's say you have a text field that is 100 characters long. you > > can still > > get a "drop table tablename" appended to the sql statement or > > write an > > entire sql statment. Cfqueryparam was meant to speed up cfquery, > > not be to a > > cure all. > > > > Anthony Petruzzi > > Webmaster > > 954-321-4703 > > [EMAIL PROTECTED] > > http://www.sheriff.org > > > > > > -Original Message- > > From: Zac Spitzer [mailto:[EMAIL PROTECTED]] > > Sent: Friday, April 12, 2002 1:06 PM > > To: CF-Talk > > Subject: Re: Preventing SQL injection attacks...? > > > > > > [EMAIL PROTECTED] wrote: > > > > >you can't forget that form fields also play a part in this. > after > > reading>the informaiton provided in jeff's link, it did shine a > > light. although i > > >have been taught from the beginning to always use val() around > > numberic>values (thank Adam) and to use regex to validate text > > input (props > > Raymond). > > >if your anal and take the time to make sure that the > information that > > people > > >are passing you is in the extact fomrat you want, you shouldn't > > have a > > >problem. also, don't rely on javascript, i always do server- > side > > validation>even after client side, just to make certain. i even > go > > as far as putting > > as > > >much validation as i can into my stored procedures and > triggers. > > although>SQL server doesn't support regular expressions , which > > sucks! anyone know a > > >way it could? > > > > > why not just use cfqueryparam, it validates and it makes your > sql > > code > > run faster??? > > > > > > > > __ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: RE: RE: Preventing SQL injection attacks...?
No, it won't. It'll produce the SQL equivalent of: select * from mytable where username = 'tony ''drop table tablename --' - Original Message - From: [EMAIL PROTECTED] Date: Friday, April 12, 2002 11:46 am Subject: RE: RE: Preventing SQL injection attacks...? > still. if i had the value > > tony ' drop table tablename-- > > and a cfqueryparam with a type of CF_SQL_VARCHAR > > it would still pass in the value as such > > select * from mytable where username = 'tony ' drop table > tablename--' > > which would cause the table to be dropped. > > > Anthony Petruzzi > Webmaster > 954-321-4703 > [EMAIL PROTECTED] > http://www.sheriff.org > > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Friday, April 12, 2002 1:45 PM > To: CF-Talk > Subject: Re: RE: Preventing SQL injection attacks...? > > > does in fact prevent that code from running. > creates a prepared statement with parameters. It > then > compares what you've entered as a value with the datatype you've > specified and, if successful, binds the parameters with what > you've > entered. So, if you entered: > > select * from table where id = cfsqltype="CF_SQL_DECIMAL"> > > and then in your url entered: id=12;drop table yourtable > > It would through you an error. > > As well, if you had: > > select * from table where id = cfsqltype="CF_SQL_VARCHAR"> > > It would create the equivalent SQL statement of: > > select * from table where id = '12;drop table yourtable' > > - Original Message - > From: [EMAIL PROTECTED] > Date: Friday, April 12, 2002 11:00 am > Subject: RE: Preventing SQL injection attacks...? > > > let's say you have a text field that is 100 characters long. you > > can still > > get a "drop table tablename" appended to the sql statement or > > write an > > entire sql statment. Cfqueryparam was meant to speed up cfquery, > > not be to a > > cure all. > > > > Anthony Petruzzi > > Webmaster > > 954-321-4703 > > [EMAIL PROTECTED] > > http://www.sheriff.org > > > > > > -Original Message- > > From: Zac Spitzer [mailto:[EMAIL PROTECTED]] > > Sent: Friday, April 12, 2002 1:06 PM > > To: CF-Talk > > Subject: Re: Preventing SQL injection attacks...? > > > > > > [EMAIL PROTECTED] wrote: > > > > >you can't forget that form fields also play a part in this. > after > > reading>the informaiton provided in jeff's link, it did shine a > > light. although i > > >have been taught from the beginning to always use val() around > > numberic>values (thank Adam) and to use regex to validate text > > input (props > > Raymond). > > >if your anal and take the time to make sure that the > information that > > people > > >are passing you is in the extact fomrat you want, you shouldn't > > have a > > >problem. also, don't rely on javascript, i always do server- > side > > validation>even after client side, just to make certain. i even > go > > as far as putting > > as > > >much validation as i can into my stored procedures and > triggers. > > although>SQL server doesn't support regular expressions , which > > sucks! anyone know a > > >way it could? > > > > > why not just use cfqueryparam, it validates and it makes your > sql > > code > > run faster??? > > > > > > > > __ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: RE: Preventing SQL injection attacks...?
This code would fail my own code review. I don't allow any "url." or "form." variables inside CFQUERY statements. This, however, might pass. :?<|\]", "" , "ALL" )))#> update people set updated = '#dateformat(now(), "MM/DD/")#' where peopleid = (Note: I am not using CFQueryParam here as a validation tool. I already know the variable is an integer. This query is from a header and will fire every page load so I want successive queries to run from cache on the Database server.) Good Fortune, Richard Walters, Webmaster, Davita Laboratory Services [EMAIL PROTECTED] (800) 604-5227 x 3525 >>> [EMAIL PROTECTED] 04/12/02 01:44PM >>> does in fact prevent that code from running. creates a prepared statement with parameters. It then compares what you've entered as a value with the datatype you've specified and, if successful, binds the parameters with what you've entered. So, if you entered: select * from table where id = and then in your url entered: id=12;drop table yourtable It would through you an error. As well, if you had: select * from table where id = It would create the equivalent SQL statement of: select * from table where id = '12;drop table yourtable' - Original Message - From: [EMAIL PROTECTED] Date: Friday, April 12, 2002 11:00 am Subject: RE: Preventing SQL injection attacks...? > let's say you have a text field that is 100 characters long. you > can still > get a "drop table tablename" appended to the sql statement or > write an > entire sql statment. Cfqueryparam was meant to speed up cfquery, > not be to a > cure all. > > Anthony Petruzzi > Webmaster > 954-321-4703 > [EMAIL PROTECTED] > http://www.sheriff.org > > > -Original Message- > From: Zac Spitzer [mailto:[EMAIL PROTECTED]] > Sent: Friday, April 12, 2002 1:06 PM > To: CF-Talk > Subject: Re: Preventing SQL injection attacks...? > > > [EMAIL PROTECTED] wrote: > > >you can't forget that form fields also play a part in this. after > reading>the informaiton provided in jeff's link, it did shine a > light. although i > >have been taught from the beginning to always use val() around > numberic>values (thank Adam) and to use regex to validate text > input (props > Raymond). > >if your anal and take the time to make sure that the information that > people > >are passing you is in the extact fomrat you want, you shouldn't > have a > >problem. also, don't rely on javascript, i always do server-side > validation>even after client side, just to make certain. i even go > as far as putting > as > >much validation as i can into my stored procedures and triggers. > although>SQL server doesn't support regular expressions , which > sucks! anyone know a > >way it could? > > > why not just use cfqueryparam, it validates and it makes your sql > code > run faster??? > > > __ Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: RE: Preventing SQL injection attacks...?
What if you added a replace statement, doubling up on all single quotes?... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 10:47 AM To: CF-Talk Subject: RE: RE: Preventing SQL injection attacks...? still. if i had the value tony ' drop table tablename-- and a cfqueryparam with a type of CF_SQL_VARCHAR it would still pass in the value as such select * from mytable where username = 'tony ' drop table tablename--' which would cause the table to be dropped. Anthony Petruzzi Webmaster 954-321-4703 [EMAIL PROTECTED] http://www.sheriff.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 1:45 PM To: CF-Talk Subject: Re: RE: Preventing SQL injection attacks...? does in fact prevent that code from running. creates a prepared statement with parameters. It then compares what you've entered as a value with the datatype you've specified and, if successful, binds the parameters with what you've entered. So, if you entered: select * from table where id = and then in your url entered: id=12;drop table yourtable It would through you an error. As well, if you had: select * from table where id = It would create the equivalent SQL statement of: select * from table where id = '12;drop table yourtable' - Original Message - From: [EMAIL PROTECTED] Date: Friday, April 12, 2002 11:00 am Subject: RE: Preventing SQL injection attacks...? > let's say you have a text field that is 100 characters long. you > can still > get a "drop table tablename" appended to the sql statement or > write an > entire sql statment. Cfqueryparam was meant to speed up cfquery, > not be to a > cure all. > > Anthony Petruzzi > Webmaster > 954-321-4703 > [EMAIL PROTECTED] > http://www.sheriff.org > > > -Original Message- > From: Zac Spitzer [mailto:[EMAIL PROTECTED]] > Sent: Friday, April 12, 2002 1:06 PM > To: CF-Talk > Subject: Re: Preventing SQL injection attacks...? > > > [EMAIL PROTECTED] wrote: > > >you can't forget that form fields also play a part in this. after > reading>the informaiton provided in jeff's link, it did shine a > light. although i > >have been taught from the beginning to always use val() around > numberic>values (thank Adam) and to use regex to validate text > input (props > Raymond). > >if your anal and take the time to make sure that the information that > people > >are passing you is in the extact fomrat you want, you shouldn't > have a > >problem. also, don't rely on javascript, i always do server-side > validation>even after client side, just to make certain. i even go > as far as putting > as > >much validation as i can into my stored procedures and triggers. > although>SQL server doesn't support regular expressions , which > sucks! anyone know a > >way it could? > > > why not just use cfqueryparam, it validates and it makes your sql > code > run faster??? > > > __ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Preventing SQL injection attacks...?
http://www.houseoffusion.com/hof/security/database.cfm Joe Hoffman mailto:[EMAIL PROTECTED] National Institutes of Health Center for Information Technology Division of Computer System Services -Original Message- From: Ian Lurie [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 11:17 AM To: CF-Talk Subject: Preventing SQL injection attacks...? Hi all, Had some interesting errors in our logs yesterday. It appears that someone's trying to hack our database by inserting SQL query language into the URL string. We're doing all the standard security measures, including filtering for single quotes, using database passwords, and the like, and we locked out their IP immediately. But really, how do you prevent this? Any ideas/feedback out there? Ian Portent Interactive Helping clients build customer relationships on the web since 1995 Consulting, design, development, measurement http://www.portentinteractive.com __ Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: RE: Preventing SQL injection attacks...?
still. if i had the value tony ' drop table tablename-- and a cfqueryparam with a type of CF_SQL_VARCHAR it would still pass in the value as such select * from mytable where username = 'tony ' drop table tablename--' which would cause the table to be dropped. Anthony Petruzzi Webmaster 954-321-4703 [EMAIL PROTECTED] http://www.sheriff.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 1:45 PM To: CF-Talk Subject: Re: RE: Preventing SQL injection attacks...? does in fact prevent that code from running. creates a prepared statement with parameters. It then compares what you've entered as a value with the datatype you've specified and, if successful, binds the parameters with what you've entered. So, if you entered: select * from table where id = and then in your url entered: id=12;drop table yourtable It would through you an error. As well, if you had: select * from table where id = It would create the equivalent SQL statement of: select * from table where id = '12;drop table yourtable' - Original Message - From: [EMAIL PROTECTED] Date: Friday, April 12, 2002 11:00 am Subject: RE: Preventing SQL injection attacks...? > let's say you have a text field that is 100 characters long. you > can still > get a "drop table tablename" appended to the sql statement or > write an > entire sql statment. Cfqueryparam was meant to speed up cfquery, > not be to a > cure all. > > Anthony Petruzzi > Webmaster > 954-321-4703 > [EMAIL PROTECTED] > http://www.sheriff.org > > > -Original Message- > From: Zac Spitzer [mailto:[EMAIL PROTECTED]] > Sent: Friday, April 12, 2002 1:06 PM > To: CF-Talk > Subject: Re: Preventing SQL injection attacks...? > > > [EMAIL PROTECTED] wrote: > > >you can't forget that form fields also play a part in this. after > reading>the informaiton provided in jeff's link, it did shine a > light. although i > >have been taught from the beginning to always use val() around > numberic>values (thank Adam) and to use regex to validate text > input (props > Raymond). > >if your anal and take the time to make sure that the information that > people > >are passing you is in the extact fomrat you want, you shouldn't > have a > >problem. also, don't rely on javascript, i always do server-side > validation>even after client side, just to make certain. i even go > as far as putting > as > >much validation as i can into my stored procedures and triggers. > although>SQL server doesn't support regular expressions , which > sucks! anyone know a > >way it could? > > > why not just use cfqueryparam, it validates and it makes your sql > code > run faster??? > > > __ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Preventing SQL injection attacks...?
I haven't used this tag, but did write an in-house UDF that is called in Application.cfm. It simply loops through all form, url, and cookie parameters and replaces a single quote with chr(96) (hope I got that right), and strips HTML tags. It would be very easy to change this to also strip out semi-colons. The logic/code required is very simple to do. There's a few samples of stuff like this at www.cflib.org. This is a filtering method, and may not catch everything, but with this, and our use of stored procs where we can, and CFQUERYPARAM, I don't think we are open to this attack. hmmm... I better go test that to be sure Shawn Grover -Original Message- From: Brian Scandale [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 10:53 AM To: CF-Talk Subject: Re: Preventing SQL injection attacks...? There is a custom tag... on the developers exchange that I've been using... It searches the caller.form.fieldnames structure looking for all sorts of nasty includes. After just reading it again I think I can also make it filter url submitted input as well. Anyone here use or have comments on this tags limitations? Was an easy first step for me but I am suddenly worried about url hacks as well. Brian At 08:17 AM 4/12/02 -0700, you wrote: >Hi all, > >Had some interesting errors in our logs yesterday. It appears that someone's >trying to hack our database by inserting SQL query language into the URL >string. > >We're doing all the standard security measures, including filtering for >single quotes, using database passwords, and the like, and we locked out >their IP immediately. But really, how do you prevent this? Any >ideas/feedback out there? > >Ian > >Portent Interactive >Helping clients build customer relationships on the web since 1995 >Consulting, design, development, measurement >http://www.portentinteractive.com > > __ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: FW: Preventing SQL injection attacks...?
No. That would end up the URL scope: url.session.password - Original Message - From: "Yager, Brian T Contractor/NCCIM" <[EMAIL PROTECTED]> Date: Friday, April 12, 2002 11:55 am Subject: FW: Preventing SQL injection attacks...? > Sorry Dave...Didn't mean to send that just to you...My mistake! > > > > I never really thought of anything like this. Can session > variables be > compromised doing the same thing.. > > http://mydomain.com/index.cfm?session.password=whatever > > If so, this would be very upsetting to me. > > Thanks, > > Brian Yager > President - North AL Cold Fusion Users Group > Sr. Systems Analyst > NCCIM/CIC > [EMAIL PROTECTED] > (256) 842-8342 > > > -Original Message- > From: Dave Watts [mailto:[EMAIL PROTECTED]] > Sent: Friday, April 12, 2002 11:36 AM > To: '[EMAIL PROTECTED]' > Cc: '[EMAIL PROTECTED]' > Subject: RE: Preventing SQL injection attacks...? > > > > Could you show me an example of an SQL injection attack? I > > want to test my app to see what I need to do to protect > > against this. > > All of these sorts of attacks rely on tampering with form or URL > data to add > SQL statements directly to that data, on the assumption that the > data may be > used in an SQL query, in which case the tampered data may execute > within the > SQL database. Typically, you'll see examples where you've got a > URL like > this: > > http://www.myserver.com/myfile.cfm?id=5;drop%20table%20mytable > > However, in real life, typically you won't attacks like that > because there's > nothing to gain from dropping a table or deleting records. Real > attacks are > usually more subtle and useful to the attacker. One of my > favorites is the > use of the SQL Server system stored procedure xp_cmdshell to open > a command > shell, which can be used to fetch a file from an attacker's FTP > server and > run it. That's much more interesting. > > Note also that most of the examples you'll see will show tampered > URL data, > but you can do the same thing with form data almost as easily. > > Here's a URL which describes SQL injection attacks: > http://www.owasp.or > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > voice: (202) 797-5496 > fax: (202) 797-5444 > __ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
FW: Preventing SQL injection attacks...?
Sorry Dave...Didn't mean to send that just to you...My mistake! I never really thought of anything like this. Can session variables be compromised doing the same thing.. http://mydomain.com/index.cfm?session.password=whatever If so, this would be very upsetting to me. Thanks, Brian Yager President - North AL Cold Fusion Users Group Sr. Systems Analyst NCCIM/CIC [EMAIL PROTECTED] (256) 842-8342 -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 11:36 AM To: '[EMAIL PROTECTED]' Cc: '[EMAIL PROTECTED]' Subject: RE: Preventing SQL injection attacks...? > Could you show me an example of an SQL injection attack? I > want to test my app to see what I need to do to protect > against this. All of these sorts of attacks rely on tampering with form or URL data to add SQL statements directly to that data, on the assumption that the data may be used in an SQL query, in which case the tampered data may execute within the SQL database. Typically, you'll see examples where you've got a URL like this: http://www.myserver.com/myfile.cfm?id=5;drop%20table%20mytable However, in real life, typically you won't attacks like that because there's nothing to gain from dropping a table or deleting records. Real attacks are usually more subtle and useful to the attacker. One of my favorites is the use of the SQL Server system stored procedure xp_cmdshell to open a command shell, which can be used to fetch a file from an attacker's FTP server and run it. That's much more interesting. Note also that most of the examples you'll see will show tampered URL data, but you can do the same thing with form data almost as easily. Here's a URL which describes SQL injection attacks: http://www.owasp.org/asac/input_validation/sql.shtml Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 __ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: RE: Preventing SQL injection attacks...?
does in fact prevent that code from running. creates a prepared statement with parameters. It then compares what you've entered as a value with the datatype you've specified and, if successful, binds the parameters with what you've entered. So, if you entered: select * from table where id = and then in your url entered: id=12;drop table yourtable It would through you an error. As well, if you had: select * from table where id = It would create the equivalent SQL statement of: select * from table where id = '12;drop table yourtable' - Original Message - From: [EMAIL PROTECTED] Date: Friday, April 12, 2002 11:00 am Subject: RE: Preventing SQL injection attacks...? > let's say you have a text field that is 100 characters long. you > can still > get a "drop table tablename" appended to the sql statement or > write an > entire sql statment. Cfqueryparam was meant to speed up cfquery, > not be to a > cure all. > > Anthony Petruzzi > Webmaster > 954-321-4703 > [EMAIL PROTECTED] > http://www.sheriff.org > > > -Original Message- > From: Zac Spitzer [mailto:[EMAIL PROTECTED]] > Sent: Friday, April 12, 2002 1:06 PM > To: CF-Talk > Subject: Re: Preventing SQL injection attacks...? > > > [EMAIL PROTECTED] wrote: > > >you can't forget that form fields also play a part in this. after > reading>the informaiton provided in jeff's link, it did shine a > light. although i > >have been taught from the beginning to always use val() around > numberic>values (thank Adam) and to use regex to validate text > input (props > Raymond). > >if your anal and take the time to make sure that the information that > people > >are passing you is in the extact fomrat you want, you shouldn't > have a > >problem. also, don't rely on javascript, i always do server-side > validation>even after client side, just to make certain. i even go > as far as putting > as > >much validation as i can into my stored procedures and triggers. > although>SQL server doesn't support regular expressions , which > sucks! anyone know a > >way it could? > > > why not just use cfqueryparam, it validates and it makes your sql > code > run faster??? > > > __ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Preventing SQL injection attacks...?
what is regex? I don't see it in my functions list (Forta CF5 Web Application Kit). Brian Yager President - North AL Cold Fusion Users Group Sr. Systems Analyst NCCIM/CIC [EMAIL PROTECTED] (256) 842-8342 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 11:42 AM To: CF-Talk Subject: RE: Preventing SQL injection attacks...? you can't forget that form fields also play a part in this. after reading the informaiton provided in jeff's link, it did shine a light. although i have been taught from the beginning to always use val() around numberic values (thank Adam) and to use regex to validate text input (props Raymond). if your anal and take the time to make sure that the information that people are passing you is in the extact fomrat you want, you shouldn't have a problem. also, don't rely on javascript, i always do server-side validation even after client side, just to make certain. i even go as far as putting as much validation as i can into my stored procedures and triggers. although SQL server doesn't support regular expressions , which sucks! anyone know a way it could? Anthony Petruzzi Webmaster 954-321-4703 [EMAIL PROTECTED] http://www.sheriff.org -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 12:36 PM To: CF-Talk Subject: RE: Preventing SQL injection attacks...? > Could you show me an example of an SQL injection attack? I > want to test my app to see what I need to do to protect > against this. All of these sorts of attacks rely on tampering with form or URL data to add SQL statements directly to that data, on the assumption that the data may be used in an SQL query, in which case the tampered data may execute within the SQL database. Typically, you'll see examples where you've got a URL like this: http://www.myserver.com/myfile.cfm?id=5;drop%20table%20mytable However, in real life, typically you won't attacks like that because there's nothing to gain from dropping a table or deleting records. Real attacks are usually more subtle and useful to the attacker. One of my favorites is the use of the SQL Server system stored procedure xp_cmdshell to open a command shell, which can be used to fetch a file from an attacker's FTP server and run it. That's much more interesting. Note also that most of the examples you'll see will show tampered URL data, but you can do the same thing with form data almost as easily. Here's a URL which describes SQL injection attacks: http://www.owasp.org/asac/input_validation/sql.shtml Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 __ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Preventing SQL injection attacks...?
this still doesn't look like it would stop someone from entering in a ' into the string and then executing a sql statement. Anthony Petruzzi Webmaster 954-321-4703 [EMAIL PROTECTED] http://www.sheriff.org -Original Message- From: Sharon Diorio [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 1:37 PM To: CF-Talk Subject: Re: Preventing SQL injection attacks...? can be used for validating almost anything. It's an underused function. Sharon DiOrio - Original Message - From: "Justin Scott" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Friday, April 12, 2002 12:30 PM Subject: Re: Preventing SQL injection attacks...? > > won't execute SQL, but only evaluate it as a string input. So if you're > > expecting numbers, then validate, using isNumeric() or CFQueryParam. > > Or if you know a value must be numeric, wrap a val() around it. That will > knock any text strings down to 0 and prevent an SQL error from being thrown, > as well as allow your app to handle the empty record set just as if any > other invalid numeric value had been tossed at it. > > -Justin Scott, Lead Developer > Sceiron Internet Services, Inc. > http://www.sceiron.com > > > __ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Preventing SQL injection attacks...?
"One of my favorites is the use of the SQL Server system stored procedure xp_cmdshell to open a command shell, which can be used to fetch a file from an attacker's FTP server and run it." I always knew Dave was a cracker (not hacker!) extraordinaire :-) --- Billy Cravens __ Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Preventing SQL injection attacks...?
can be used for validating almost anything. It's an underused function. Sharon DiOrio - Original Message - From: "Justin Scott" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Friday, April 12, 2002 12:30 PM Subject: Re: Preventing SQL injection attacks...? > > won't execute SQL, but only evaluate it as a string input. So if you're > > expecting numbers, then validate, using isNumeric() or CFQueryParam. > > Or if you know a value must be numeric, wrap a val() around it. That will > knock any text strings down to 0 and prevent an SQL error from being thrown, > as well as allow your app to handle the empty record set just as if any > other invalid numeric value had been tossed at it. > > -Justin Scott, Lead Developer > Sceiron Internet Services, Inc. > http://www.sceiron.com > > > __ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Preventing SQL injection attacks...?
Also try http://www.sqlsecurity.com/faq.asp. andy -Original Message- From: Garza, Jeff [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 11:37 AM To: CF-Talk Subject: RE: Preventing SQL injection attacks...? There was a real good white paper from NGSSoftware. It's called Advanced SQL Injection and can be found near the bottom of this page. http://www.nextgenss.com/research.html#papers Frightening... Jeff Garza Lead Developer/Webmaster Spectrum Astro, Inc. [EMAIL PROTECTED] http://www.spectrumastro.com -Original Message- From: Ian Lurie [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 8:30 AM To: CF-Talk Subject: RE: Preventing SQL injection attacks...? That's what I thought. Man, you think you're an expert, and then some 13 year old somewhere makes you feel like a punk again :) Is there a good paper on Macromedia.com about this? I read some of the stuff but nothing seemed really on-point... -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 8:30 AM To: CF-Talk Subject: RE: Preventing SQL injection attacks...? > make sure you are at the latest MDAC and have all service pack applied > for SQL. I think that the latest MDAC prevents attacks like this, but > I could be wrong. No, MDAC does nothing to prevent SQL injection attacks, which, after all, use perfectly valid SQL statements. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 __ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Preventing SQL injection attacks...?
Hey, Is CFID and CFTOKEN vulnerable to this if they are stored as COOKIES and you are using a DB to store client variables? Since I assume you could easily modify the CFID and CFTOKEN in your cookie file that browser maintains. -Original Message- From: Zac Spitzer [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 1:06 PM To: CF-Talk Subject: Re: Preventing SQL injection attacks...? [EMAIL PROTECTED] wrote: >you can't forget that form fields also play a part in this. after reading >the informaiton provided in jeff's link, it did shine a light. although i >have been taught from the beginning to always use val() around numberic >values (thank Adam) and to use regex to validate text input (props Raymond). >if your anal and take the time to make sure that the information that people >are passing you is in the extact fomrat you want, you shouldn't have a >problem. also, don't rely on javascript, i always do server-side validation >even after client side, just to make certain. i even go as far as putting as >much validation as i can into my stored procedures and triggers. although >SQL server doesn't support regular expressions , which sucks! anyone know a >way it could? > why not just use cfqueryparam, it validates and it makes your sql code run faster??? __ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Preventing SQL injection attacks...?
let's say you have a text field that is 100 characters long. you can still get a "drop table tablename" appended to the sql statement or write an entire sql statment. Cfqueryparam was meant to speed up cfquery, not be to a cure all. Anthony Petruzzi Webmaster 954-321-4703 [EMAIL PROTECTED] http://www.sheriff.org -Original Message- From: Zac Spitzer [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 1:06 PM To: CF-Talk Subject: Re: Preventing SQL injection attacks...? [EMAIL PROTECTED] wrote: >you can't forget that form fields also play a part in this. after reading >the informaiton provided in jeff's link, it did shine a light. although i >have been taught from the beginning to always use val() around numberic >values (thank Adam) and to use regex to validate text input (props Raymond). >if your anal and take the time to make sure that the information that people >are passing you is in the extact fomrat you want, you shouldn't have a >problem. also, don't rely on javascript, i always do server-side validation >even after client side, just to make certain. i even go as far as putting as >much validation as i can into my stored procedures and triggers. although >SQL server doesn't support regular expressions , which sucks! anyone know a >way it could? > why not just use cfqueryparam, it validates and it makes your sql code run faster??? __ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Preventing SQL injection attacks...?
[EMAIL PROTECTED] wrote: >you can't forget that form fields also play a part in this. after reading >the informaiton provided in jeff's link, it did shine a light. although i >have been taught from the beginning to always use val() around numberic >values (thank Adam) and to use regex to validate text input (props Raymond). >if your anal and take the time to make sure that the information that people >are passing you is in the extact fomrat you want, you shouldn't have a >problem. also, don't rely on javascript, i always do server-side validation >even after client side, just to make certain. i even go as far as putting as >much validation as i can into my stored procedures and triggers. although >SQL server doesn't support regular expressions , which sucks! anyone know a >way it could? > why not just use cfqueryparam, it validates and it makes your sql code run faster??? __ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Preventing SQL injection attacks...?
>> Page.cfm?productid=2;delete%20from%20products Then your DB sees: Select productName from products where productsID = 2;delete from products --- << or worse : Page.cfm?productid=2;drop%table%products; -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 12:01 PM To: CF-Talk Subject: RE: Preventing SQL injection attacks...? Let's say your query is: Select productName from products where productID = #url.productid# If the url is page.cfm?productid=2 then your db sees Select productName from products where productID = 2 But if a "hacker" (I hate that term - may eternal scorn to given to those who usurped the term and used it as a synonym for "cracker") enters this url: Page.cfm?productid=2;delete%20from%20products Then your DB sees: Select productName from products where productsID = 2;delete from products --- Billy Cravens -Original Message- From: Yager, Brian T Contractor/NCCIM [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 10:36 AM To: CF-Talk Subject: RE: Preventing SQL injection attacks...? Dave, Could you show me an example of an SQL injection attack? I want to test my app to see what I need to do to protect against this. Thanks, Brian Yager President - North AL Cold Fusion Users Group Sr. Systems Analyst NCCIM/CIC [EMAIL PROTECTED] (256) 842-8342 -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 10:30 AM To: CF-Talk Subject: RE: Preventing SQL injection attacks...? > make sure you are at the latest MDAC and have all service > pack applied for SQL. I think that the latest MDAC prevents > attacks like this, but I could be wrong. No, MDAC does nothing to prevent SQL injection attacks, which, after all, use perfectly valid SQL statements. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 __ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Preventing SQL injection attacks...?
There is a custom tag... on the developers exchange that I've been using... It searches the caller.form.fieldnames structure looking for all sorts of nasty includes. After just reading it again I think I can also make it filter url submitted input as well. Anyone here use or have comments on this tags limitations? Was an easy first step for me but I am suddenly worried about url hacks as well. Brian At 08:17 AM 4/12/02 -0700, you wrote: >Hi all, > >Had some interesting errors in our logs yesterday. It appears that someone's >trying to hack our database by inserting SQL query language into the URL >string. > >We're doing all the standard security measures, including filtering for >single quotes, using database passwords, and the like, and we locked out >their IP immediately. But really, how do you prevent this? Any >ideas/feedback out there? > >Ian > >Portent Interactive >Helping clients build customer relationships on the web since 1995 >Consulting, design, development, measurement >http://www.portentinteractive.com > > __ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Preventing SQL injection attacks...?
you can't forget that form fields also play a part in this. after reading the informaiton provided in jeff's link, it did shine a light. although i have been taught from the beginning to always use val() around numberic values (thank Adam) and to use regex to validate text input (props Raymond). if your anal and take the time to make sure that the information that people are passing you is in the extact fomrat you want, you shouldn't have a problem. also, don't rely on javascript, i always do server-side validation even after client side, just to make certain. i even go as far as putting as much validation as i can into my stored procedures and triggers. although SQL server doesn't support regular expressions , which sucks! anyone know a way it could? Anthony Petruzzi Webmaster 954-321-4703 [EMAIL PROTECTED] http://www.sheriff.org -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 12:36 PM To: CF-Talk Subject: RE: Preventing SQL injection attacks...? > Could you show me an example of an SQL injection attack? I > want to test my app to see what I need to do to protect > against this. All of these sorts of attacks rely on tampering with form or URL data to add SQL statements directly to that data, on the assumption that the data may be used in an SQL query, in which case the tampered data may execute within the SQL database. Typically, you'll see examples where you've got a URL like this: http://www.myserver.com/myfile.cfm?id=5;drop%20table%20mytable However, in real life, typically you won't attacks like that because there's nothing to gain from dropping a table or deleting records. Real attacks are usually more subtle and useful to the attacker. One of my favorites is the use of the SQL Server system stored procedure xp_cmdshell to open a command shell, which can be used to fetch a file from an attacker's FTP server and run it. That's much more interesting. Note also that most of the examples you'll see will show tampered URL data, but you can do the same thing with form data almost as easily. Here's a URL which describes SQL injection attacks: http://www.owasp.org/asac/input_validation/sql.shtml Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 __ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Preventing SQL injection attacks...?
> won't execute SQL, but only evaluate it as a string input. So if you're > expecting numbers, then validate, using isNumeric() or CFQueryParam. Or if you know a value must be numeric, wrap a val() around it. That will knock any text strings down to 0 and prevent an SQL error from being thrown, as well as allow your app to handle the empty record set just as if any other invalid numeric value had been tossed at it. -Justin Scott, Lead Developer Sceiron Internet Services, Inc. http://www.sceiron.com __ Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Preventing SQL injection attacks...?
> Could you show me an example of an SQL injection attack? I > want to test my app to see what I need to do to protect > against this. All of these sorts of attacks rely on tampering with form or URL data to add SQL statements directly to that data, on the assumption that the data may be used in an SQL query, in which case the tampered data may execute within the SQL database. Typically, you'll see examples where you've got a URL like this: http://www.myserver.com/myfile.cfm?id=5;drop%20table%20mytable However, in real life, typically you won't attacks like that because there's nothing to gain from dropping a table or deleting records. Real attacks are usually more subtle and useful to the attacker. One of my favorites is the use of the SQL Server system stored procedure xp_cmdshell to open a command shell, which can be used to fetch a file from an attacker's FTP server and run it. That's much more interesting. Note also that most of the examples you'll see will show tampered URL data, but you can do the same thing with form data almost as easily. Here's a URL which describes SQL injection attacks: http://www.owasp.org/asac/input_validation/sql.shtml Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 __ Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Preventing SQL injection attacks...?
stored procedures are your friends. they enforce strict datatypes. > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: 12 April 2002 17:11 > To: CF-Talk > Subject: RE: Preventing SQL injection attacks...? > > > This is probably the biggest security problem with web > applications. It > boils down to securing and validating your input. Most of > these attacks > are successful only when you're evaluating a number - since a string > won't execute SQL, but only evaluate it as a string input. > So if you're > expecting numbers, then validate, using isNumeric() or CFQueryParam. > > --- > Billy Cravens > > > -Original Message- > From: Ian Lurie [mailto:[EMAIL PROTECTED]] > Sent: Friday, April 12, 2002 10:17 AM > To: CF-Talk > Subject: Preventing SQL injection attacks...? > > Hi all, > > Had some interesting errors in our logs yesterday. It appears that > someone's > trying to hack our database by inserting SQL query language > into the URL > string. > > We're doing all the standard security measures, including > filtering for > single quotes, using database passwords, and the like, and we > locked out > their IP immediately. But really, how do you prevent this? Any > ideas/feedback out there? > > Ian > > Portent Interactive > Helping clients build customer relationships on the web since 1995 > Consulting, design, development, measurement > http://www.portentinteractive.com > > > __ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Preventing SQL injection attacks...?
This is probably the biggest security problem with web applications. It boils down to securing and validating your input. Most of these attacks are successful only when you're evaluating a number - since a string won't execute SQL, but only evaluate it as a string input. So if you're expecting numbers, then validate, using isNumeric() or CFQueryParam. --- Billy Cravens -Original Message- From: Ian Lurie [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 10:17 AM To: CF-Talk Subject: Preventing SQL injection attacks...? Hi all, Had some interesting errors in our logs yesterday. It appears that someone's trying to hack our database by inserting SQL query language into the URL string. We're doing all the standard security measures, including filtering for single quotes, using database passwords, and the like, and we locked out their IP immediately. But really, how do you prevent this? Any ideas/feedback out there? Ian Portent Interactive Helping clients build customer relationships on the web since 1995 Consulting, design, development, measurement http://www.portentinteractive.com __ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Preventing SQL injection attacks...?
To build on what Dave said, I like to use separate datasources for different permissions (easily set in CF Admin) - on most applications, I like having datasourcename_read with read permissions, datasourcename_delete with delete permissions, etc. This doesn't eliminate your problem, but it minimizes the risk of a delete, etc, on a simple select query. Of course, this should also be enforced at the DB security level - if you have a select-only datasource, there's no reason for the user for that dsn to have write permissions. --- Billy Cravens -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 10:40 AM To: CF-Talk Subject: RE: Preventing SQL injection attacks...? > Had some interesting errors in our logs yesterday. It > appears that someone's trying to hack our database by > inserting SQL query language into the URL string. > > We're doing all the standard security measures, including > filtering for single quotes, using database passwords, and > the like, and we locked out their IP immediately. But really, > how do you prevent this? Any ideas/feedback out there? There are a number of things you can do to address this: 1. Apply a generic input filter to your web server. 2. Validate all data sent to your application. 3. Limit the application's rights to the database. 4. Use stored procedures exclusively. Typically, you should at least do the second and third items listed. The primary issue is one of data validation - making sure that values contain the appropriate datatype, and if they're string values, that they don't contain metacharacters that would allow the execution of code. Another essential item is to limit what rights your application has within the database; typically, your application should only have rights to read and write data. If you use stored procedures exclusively, you can limit the application's rights even further, only allowing it to execute the stored procedures. Note that you can do this entirely within the database: create a login and give it the specified rights, then use that login within your application's datasource. You can also configure the datasource itself to limit rights, which is also good but is no substitute for doing so within the database itself. As mentioned in the first item, you can use an input filter, which is a piece of software you install on your web server. There are several available for IIS, such as Microsoft's free URLScan tool or eEye's SecureIIS: http://www.microsoft.com/technet/security/ http://www.eeye.com/ I'd recommend that you perform data validation within your application in any case, though. These sorts of issues are covered in Fig Leaf Software's "Securing ColdFusion Servers on Windows" one-day seminar, if you're interested in that: http://training.figleaf.com/figleaftraining/Courses/Securing-ColdFusion- Serv ers-on-Windows.cfm I'm also going to talk about input filtering at the CF_NORTH conference, I think: http://www.cfnorth.com/Agenda/CFnorthCore.cfm?page=Topics Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 __ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Preventing SQL injection attacks...?
kewl link. they got some awesome info besides the sql stuff. good going jeff! Anthony Petruzzi Webmaster 954-321-4703 [EMAIL PROTECTED] http://www.sheriff.org -Original Message- From: Garza, Jeff [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 11:37 AM To: CF-Talk Subject: RE: Preventing SQL injection attacks...? There was a real good white paper from NGSSoftware. It's called Advanced SQL Injection and can be found near the bottom of this page. http://www.nextgenss.com/research.html#papers Frightening... Jeff Garza Lead Developer/Webmaster Spectrum Astro, Inc. [EMAIL PROTECTED] http://www.spectrumastro.com -Original Message- From: Ian Lurie [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 8:30 AM To: CF-Talk Subject: RE: Preventing SQL injection attacks...? That's what I thought. Man, you think you're an expert, and then some 13 year old somewhere makes you feel like a punk again :) Is there a good paper on Macromedia.com about this? I read some of the stuff but nothing seemed really on-point... -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 8:30 AM To: CF-Talk Subject: RE: Preventing SQL injection attacks...? > make sure you are at the latest MDAC and have all service pack applied > for SQL. I think that the latest MDAC prevents attacks like this, but > I could be wrong. No, MDAC does nothing to prevent SQL injection attacks, which, after all, use perfectly valid SQL statements. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 __ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Preventing SQL injection attacks...?
Let's say your query is: Select productName from products where productID = #url.productid# If the url is page.cfm?productid=2 then your db sees Select productName from products where productID = 2 But if a "hacker" (I hate that term - may eternal scorn to given to those who usurped the term and used it as a synonym for "cracker") enters this url: Page.cfm?productid=2;delete%20from%20products Then your DB sees: Select productName from products where productsID = 2;delete from products --- Billy Cravens -Original Message- From: Yager, Brian T Contractor/NCCIM [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 10:36 AM To: CF-Talk Subject: RE: Preventing SQL injection attacks...? Dave, Could you show me an example of an SQL injection attack? I want to test my app to see what I need to do to protect against this. Thanks, Brian Yager President - North AL Cold Fusion Users Group Sr. Systems Analyst NCCIM/CIC [EMAIL PROTECTED] (256) 842-8342 -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 10:30 AM To: CF-Talk Subject: RE: Preventing SQL injection attacks...? > make sure you are at the latest MDAC and have all service > pack applied for SQL. I think that the latest MDAC prevents > attacks like this, but I could be wrong. No, MDAC does nothing to prevent SQL injection attacks, which, after all, use perfectly valid SQL statements. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 __ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Preventing SQL injection attacks...?
http://www.asptoday.com/content/articles/20020225.asp it's for asp but the concept still applies Anthony Petruzzi Webmaster 954-321-4703 [EMAIL PROTECTED] http://www.sheriff.org -Original Message- From: Mike Chambers [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 11:44 AM To: CF-Talk Subject: RE: Preventing SQL injection attacks...? can you give some more information? are you passing entire SQL queries from page to page? or is there just specific values that are passed between pages and then used by an existing SQL query? mike chambers [EMAIL PROTECTED] > -Original Message- > From: Ian Lurie [mailto:[EMAIL PROTECTED]] > Sent: Friday, April 12, 2002 11:30 AM > To: CF-Talk > Subject: RE: Preventing SQL injection attacks...? > > > That's what I thought. > > Man, you think you're an expert, and then some 13 year old > somewhere makes you feel like a punk again :) > > Is there a good paper on Macromedia.com about this? I read > some of the stuff but nothing seemed really on-point... > __ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Preventing SQL injection attacks...?
Egads, no - just specific values passed from one page to another, and then to a query. I should mention that none of these attacks SUCCEEDED - don't want to get the vultures circling. But they generate a lot of errors and I can see a potential avenue of attack by that route. -Original Message- From: Mike Chambers [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 8:44 AM To: CF-Talk Subject: RE: Preventing SQL injection attacks...? can you give some more information? are you passing entire SQL queries from page to page? or is there just specific values that are passed between pages and then used by an existing SQL query? mike chambers [EMAIL PROTECTED] > -Original Message- > From: Ian Lurie [mailto:[EMAIL PROTECTED]] > Sent: Friday, April 12, 2002 11:30 AM > To: CF-Talk > Subject: RE: Preventing SQL injection attacks...? > > > That's what I thought. > > Man, you think you're an expert, and then some 13 year old > somewhere makes you feel like a punk again :) > > Is there a good paper on Macromedia.com about this? I read > some of the stuff but nothing seemed really on-point... > __ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Preventing SQL injection attacks...?
can you give some more information? are you passing entire SQL queries from page to page? or is there just specific values that are passed between pages and then used by an existing SQL query? mike chambers [EMAIL PROTECTED] > -Original Message- > From: Ian Lurie [mailto:[EMAIL PROTECTED]] > Sent: Friday, April 12, 2002 11:30 AM > To: CF-Talk > Subject: RE: Preventing SQL injection attacks...? > > > That's what I thought. > > Man, you think you're an expert, and then some 13 year old > somewhere makes you feel like a punk again :) > > Is there a good paper on Macromedia.com about this? I read > some of the stuff but nothing seemed really on-point... > __ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Preventing SQL injection attacks...?
There was a real good white paper from NGSSoftware. It's called Advanced SQL Injection and can be found near the bottom of this page. http://www.nextgenss.com/research.html#papers Frightening... Jeff Garza Lead Developer/Webmaster Spectrum Astro, Inc. [EMAIL PROTECTED] http://www.spectrumastro.com -Original Message- From: Ian Lurie [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 8:30 AM To: CF-Talk Subject: RE: Preventing SQL injection attacks...? That's what I thought. Man, you think you're an expert, and then some 13 year old somewhere makes you feel like a punk again :) Is there a good paper on Macromedia.com about this? I read some of the stuff but nothing seemed really on-point... -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 8:30 AM To: CF-Talk Subject: RE: Preventing SQL injection attacks...? > make sure you are at the latest MDAC and have all service pack applied > for SQL. I think that the latest MDAC prevents attacks like this, but > I could be wrong. No, MDAC does nothing to prevent SQL injection attacks, which, after all, use perfectly valid SQL statements. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 __ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Preventing SQL injection attacks...?
> Had some interesting errors in our logs yesterday. It > appears that someone's trying to hack our database by > inserting SQL query language into the URL string. > > We're doing all the standard security measures, including > filtering for single quotes, using database passwords, and > the like, and we locked out their IP immediately. But really, > how do you prevent this? Any ideas/feedback out there? There are a number of things you can do to address this: 1. Apply a generic input filter to your web server. 2. Validate all data sent to your application. 3. Limit the application's rights to the database. 4. Use stored procedures exclusively. Typically, you should at least do the second and third items listed. The primary issue is one of data validation - making sure that values contain the appropriate datatype, and if they're string values, that they don't contain metacharacters that would allow the execution of code. Another essential item is to limit what rights your application has within the database; typically, your application should only have rights to read and write data. If you use stored procedures exclusively, you can limit the application's rights even further, only allowing it to execute the stored procedures. Note that you can do this entirely within the database: create a login and give it the specified rights, then use that login within your application's datasource. You can also configure the datasource itself to limit rights, which is also good but is no substitute for doing so within the database itself. As mentioned in the first item, you can use an input filter, which is a piece of software you install on your web server. There are several available for IIS, such as Microsoft's free URLScan tool or eEye's SecureIIS: http://www.microsoft.com/technet/security/ http://www.eeye.com/ I'd recommend that you perform data validation within your application in any case, though. These sorts of issues are covered in Fig Leaf Software's "Securing ColdFusion Servers on Windows" one-day seminar, if you're interested in that: http://training.figleaf.com/figleaftraining/Courses/Securing-ColdFusion-Serv ers-on-Windows.cfm I'm also going to talk about input filtering at the CF_NORTH conference, I think: http://www.cfnorth.com/Agenda/CFnorthCore.cfm?page=Topics Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 __ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Preventing SQL injection attacks...?
Dave, Could you show me an example of an SQL injection attack? I want to test my app to see what I need to do to protect against this. Thanks, Brian Yager President - North AL Cold Fusion Users Group Sr. Systems Analyst NCCIM/CIC [EMAIL PROTECTED] (256) 842-8342 -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 10:30 AM To: CF-Talk Subject: RE: Preventing SQL injection attacks...? > make sure you are at the latest MDAC and have all service > pack applied for SQL. I think that the latest MDAC prevents > attacks like this, but I could be wrong. No, MDAC does nothing to prevent SQL injection attacks, which, after all, use perfectly valid SQL statements. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 __ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Preventing SQL injection attacks...?
Ben Forta had an article in CFDJ last month that address this issue somewhat. Kevin -Original Message- From: Ian Lurie [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 10:30 AM To: CF-Talk Subject: RE: Preventing SQL injection attacks...? That's what I thought. Man, you think you're an expert, and then some 13 year old somewhere makes you feel like a punk again :) Is there a good paper on Macromedia.com about this? I read some of the stuff but nothing seemed really on-point... -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 8:30 AM To: CF-Talk Subject: RE: Preventing SQL injection attacks...? > make sure you are at the latest MDAC and have all service > pack applied for SQL. I think that the latest MDAC prevents > attacks like this, but I could be wrong. No, MDAC does nothing to prevent SQL injection attacks, which, after all, use perfectly valid SQL statements. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 __ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Preventing SQL injection attacks...?
That's what I thought. Man, you think you're an expert, and then some 13 year old somewhere makes you feel like a punk again :) Is there a good paper on Macromedia.com about this? I read some of the stuff but nothing seemed really on-point... -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 8:30 AM To: CF-Talk Subject: RE: Preventing SQL injection attacks...? > make sure you are at the latest MDAC and have all service > pack applied for SQL. I think that the latest MDAC prevents > attacks like this, but I could be wrong. No, MDAC does nothing to prevent SQL injection attacks, which, after all, use perfectly valid SQL statements. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 __ Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Preventing SQL injection attacks...?
> make sure you are at the latest MDAC and have all service > pack applied for SQL. I think that the latest MDAC prevents > attacks like this, but I could be wrong. No, MDAC does nothing to prevent SQL injection attacks, which, after all, use perfectly valid SQL statements. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 __ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Preventing SQL injection attacks...?
If you are using 4.5 or above, you can use the cfqueryparam and that helps. You can also do checks to see if your variables are integers or not(if that is what you are passing), you can also compare vars to make sure what you passed is whats there.. There are also many other things you can do.. HTH Clint -Original Message- From: Ian Lurie [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 10:17 AM To: CF-Talk Subject: Preventing SQL injection attacks...? Hi all, Had some interesting errors in our logs yesterday. It appears that someone's trying to hack our database by inserting SQL query language into the URL string. We're doing all the standard security measures, including filtering for single quotes, using database passwords, and the like, and we locked out their IP immediately. But really, how do you prevent this? Any ideas/feedback out there? Ian Portent Interactive Helping clients build customer relationships on the web since 1995 Consulting, design, development, measurement http://www.portentinteractive.com __ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Preventing SQL injection attacks...?
make sure you are at the latest MDAC and have all service pack applied for SQL. I think that the latest MDAC prevents attacks like this, but I could be wrong. Anthony Petruzzi Webmaster 954-321-4703 [EMAIL PROTECTED] http://www.sheriff.org -Original Message- From: Ian Lurie [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 11:17 AM To: CF-Talk Subject: Preventing SQL injection attacks...? Hi all, Had some interesting errors in our logs yesterday. It appears that someone's trying to hack our database by inserting SQL query language into the URL string. We're doing all the standard security measures, including filtering for single quotes, using database passwords, and the like, and we locked out their IP immediately. But really, how do you prevent this? Any ideas/feedback out there? Ian Portent Interactive Helping clients build customer relationships on the web since 1995 Consulting, design, development, measurement http://www.portentinteractive.com __ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Preventing SQL injection attacks...?
Are you using on all your values too? This is just one more layer to help out. Kevin -Original Message- From: Ian Lurie [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 10:17 AM To: CF-Talk Subject: Preventing SQL injection attacks...? Hi all, Had some interesting errors in our logs yesterday. It appears that someone's trying to hack our database by inserting SQL query language into the URL string. We're doing all the standard security measures, including filtering for single quotes, using database passwords, and the like, and we locked out their IP immediately. But really, how do you prevent this? Any ideas/feedback out there? Ian Portent Interactive Helping clients build customer relationships on the web since 1995 Consulting, design, development, measurement http://www.portentinteractive.com __ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Preventing SQL injection attacks...?
Hi all, Had some interesting errors in our logs yesterday. It appears that someone's trying to hack our database by inserting SQL query language into the URL string. We're doing all the standard security measures, including filtering for single quotes, using database passwords, and the like, and we locked out their IP immediately. But really, how do you prevent this? Any ideas/feedback out there? Ian Portent Interactive Helping clients build customer relationships on the web since 1995 Consulting, design, development, measurement http://www.portentinteractive.com __ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
