RE: Web Form Data Security
> I can see how it may be possible to insert SQL into a number variable > on a web form given the var isn't quoted. But are varchar2 type vars > invulnerable simply because they are single quoted in the query? Or are > there ways that even that would allow SQL insertion? It seems impossible > to me but then I'm not an expert on SQL. > > What about date type vars? They aren't quoted. If you use CFQUERYPARAM with all variables sent by the browser, you'll be ok. If you don't, any one of those variables can be used to send SQL commands of various sorts, including those you want to save to varchar2 fields. > The MM docs mention > "Some databases, including Microsoft SQL Server and Sybase SQL Server, > support the ability to send multiple SQL statements with each query." > > How are they defining multiple SQL statements...they are referring to > semi-colon separated sql statements right? In many database platforms, you can use semicolons to separate SQL statements within a single SQL batch. I don't know if that's true for all of them, or if there are other ways to do it, but if there are, they'd count as multiple SQL statements as well. > They didn't mention Oracle in the list, so does anyone know if Oracle > allows multiple statements? I suspect this may have more to do with specific database drivers than with the databases themselves. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ phone: 202-797-5496 fax: 202-797-5444 [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
Re: Web Form Data Security
Not to beat this topic to death but... I have a few more questions: I can see how it may be possible to insert SQL into a number variable on a web form given the var isn't quoted. But are varchar2 type vars invulnerable simply because they are single quoted in the query? Or are there ways that even that would allow SQL insertion? It seems impossible to me but then I'm not an expert on SQL. What about date type vars? They aren't quoted. The MM docs mention "Some databases, including Microsoft SQL Server and Sybase SQL Server, support the ability to send multiple SQL statements with each query." How are they defining multiple SQL statements...they are referring to semi-colon separated sql statements right? They didn't mention Oracle in the list, so does anyone know if Oracle allows multiple statements? We're on 8i if that matters. > > So is that adequate? > > yes. You are invulnerable to sql injection if you use it on all of > your inputs. As in from-the-planet-Krypton invulnerable. > [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
Re: Web Form Data Security
On Aug 18, 2004, at 5:58 PM, CF Coder2 wrote: > What other best practices are there to ensure nothing can happen? One idea would be to add a unique variable in a hidden field to each form. You would store the variable in a database and clear it when the form was submitted. If a form was submitted and there was not a matching variable the input would not be accepted. This would be one way to avoid hacker/cracker/script-kiddies. Then again, all they'd have to do is load the form, which would have a valid variable in it, then do their funny stuff based off the variable. I never said it was fool proof ;) -- Damien McKenna - Web Developer - [EMAIL PROTECTED] The Limu Company - http://www.thelimucompany.com/ - 407-804-1014 "Nothing endures but change." - Heraclitus [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
Re: Web Form Data Security
Thanks, Barney! Now it makes sense! [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
Re: Web Form Data Security
XSS is cross site scripting, which is where a malicious user injects
some code that will be displayed on your site (and consequently
assumed to come from you by your users). Comments on blogs are an
example. If I drop a SCRIPT tag into a blog comment that launches a
popup window to porn site X, that's an example of XSS.
So I submit "window.open('http://www.google.com')' as
a comment. Next time someone views the page, a window will pop up,
because that string was insert into the body of the page with all the
other comments. Running it through HTMLEditFormat(), however, would
yield this string
""
which, when inserted into the body of the comments page, will render
as the text I submitted. No more unauthorized popup.
It gets trickier if you want to allow some HTML (like B, I, U, A and
IMG) tags, but nothing else.
cheers,
barneyb
On Wed, 18 Aug 2004 20:07:24 -0400, CF Coder2
<[EMAIL PROTECTED]> wrote:
> Thanks Matt and the others!
> This was helpful.
>
> I'm not sure what the point of wrapping vars in HTMLEditFormat. The Ref Man is almost useless in stating it's value...returns an HTML-escaped string...so? Why does that help. I'll have to think on that.
>
> I'll have to read up on XSS though. Haven't a clue what that is.
>
>
--
Barney Boisvert
[EMAIL PROTECTED]
360.319.6145
http://www.barneyb.com
[Todays Threads]
[This Message]
[Subscription]
[Fast Unsubscribe]
[User Settings]
[Donations and Support]
Re: Web Form Data Security
Thanks Matt and the others! This was helpful. I'm not sure what the point of wrapping vars in HTMLEditFormat. The Ref Man is almost useless in stating it's value...returns an HTML-escaped string...so? Why does that help. I'll have to think on that. I'll have to read up on XSS though. Haven't a clue what that is. [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
Re: Web Form Data Security
See Matt's post. ; ) I don't know of any place offhand to get more info. Depending on your application, XSS may or may not be a concern. It usually is, but the magnitude of the problem varies widely, from a couple fields on one form, to every field on every form. And don't discount URL fields either, they're just as important. cheers, barneyb On Wed, 18 Aug 2004 18:27:13 -0400, CF Coder2 <[EMAIL PROTECTED]> wrote: > Where can I learn about XSS protection? I'm sure google can give me zillions of references but if you can recommend one or two that would be great. > > > CFQUERYPARAM will protect your database from SQL injection attacks. > > If you need other things (such as XSS protection), then you'll have > > to > > add some more code, usually as part of your validation code. > > > > cheers, > > barneyb > > > > -- Barney Boisvert [EMAIL PROTECTED] 360.319.6145 http://www.barneyb.com [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
Re: Web Form Data Security
Where can I learn about XSS protection? I'm sure google can give me zillions of references but if you can recommend one or two that would be great. > CFQUERYPARAM will protect your database from SQL injection attacks. > If you need other things (such as XSS protection), then you'll have > to > add some more code, usually as part of your validation code. > > cheers, > barneyb > [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
Re: Web Form Data Security
> So is that adequate? yes. You are invulnerable to sql injection if you use it on all of your inputs. As in from-the-planet-Krypton invulnerable. What other best practices are there to ensure nothing can happen? Unplug your web server from the internet and turn it off. No, seriously, there is no way you can be absoultely secure. You can do your due diligence but you will never be safe from *everything* a determined attacker will throw at you. Some other things you can do are scrub your url parms for funny stuff. In the most recent discussion on this Jochem mentioned that simply plugging in htmleditformat() around your vars will proof them agaist cross-site scripting. I toss this into Application.cfm. input="#variables.thisurlvar#" r_output="myURL"> This uses a custom tag you can get out of the DevEx and may be overkill. Still, it only eats about 10ms per page view and brings a beatific albeit somewhat vacant look into my eyes. You can also test for a valid referer on your forms, but those can be easily faked by anyone who is serious. The only way to put that one to bed is to use those graphical thingies on a form where a human user has read it and type in the letters in the graphic. I forget what they are called. Is it Friday yet? Gawd what a day... -- --Matt Robertson-- MSB Designs, Inc. mysecretbase.com [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
Re: Web Form Data Security
CFQUERYPARAM will protect your database from SQL injection attacks. If you need other things (such as XSS protection), then you'll have to add some more code, usually as part of your validation code. cheers, barneyb On Wed, 18 Aug 2004 17:58:08 -0400, CF Coder2 <[EMAIL PROTECTED]> wrote: > >cfqueryparam > > So is that adequate? What other best practices are there to ensure nothing can happen? -- Barney Boisvert [EMAIL PROTECTED] 360.319.6145 http://www.barneyb.com [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
Re: Web Form Data Security
>cfqueryparam So is that adequate? What other best practices are there to ensure nothing can happen? [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
Re: Web Form Data Security
cfqueryparam On Aug 18, 2004, at 2:40 PM, CF Coder2 wrote: > How secure is a web form built with CF that (when submitted) INSERTS > the data into a database with respect to someone hacking and accessing > data from that database? Is it possible for an expert to place SQL > code into text fields that will extract data in any way? > > How can I guerantee that this won't happen? i.e. how can I > filter/test the form data such that attempts such as this will be > prevented? > > What do you do to prevent hacking via a web form that posts data into > a db? > [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
RE: Web Form Data Security
Use cfqueryparam... [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
