Re: cfqueryparam & EncodeForHTML
cfqueryparam and EncodeForHTML are used to prevent two different types of attack. cfqueryparam is for SQL injection attacks, as Byron explained. EncodeForHTML is used to prevent cross site scripting attacks (it does not prevent/escape sql injection), which exist when the attacker can execute arbitrary client side code (such as javascript). Suppose we specified companyName=Johnson & Johnson's
Re: cfqueryparam & EncodeForHTML
what you really need is a Web Application Firewall which will clean all form and url params and strip out anything dodgy. There are plenty of generic web server WAF's, or if you want a CF specific solution then try FuseGuard. On Tue, Nov 4, 2014 at 5:26 PM, <> wrote: > > >>Like querying malicious data and using it in another > cfquery without cfqueryparam. > > As an extra safety feature, if your application does not use multiSQL > statements at all, and depending on the type of database engine used, you > could also streatly deactivate the multi statement facility. > If you're using an Access database, you don't even have to deactivate it: > there is NO multi statement facility. > > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359561 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: cfqueryparam & EncodeForHTML
>>Like querying malicious data and using it in another cfquery without cfqueryparam. As an extra safety feature, if your application does not use multiSQL statements at all, and depending on the type of database engine used, you could also streatly deactivate the multi statement facility. If you're using an Access database, you don't even have to deactivate it: there is NO multi statement facility. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359560 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: cfqueryparam & EncodeForHTML
> Text input field > Entry is Johnson & Johnson's > I store it in a table using cfqueryparam. All is good. > > Let's say the hacked entry is Johnson & Johnson's;delete * (or something akin > to that - you get the > drift) I use cfqueryparam but it won't catch the hack; it's still just a > string. Actually, it will prevent the value from being used to execute malicious SQL. To me, that's "catching the hack". Converting the entire value to a string prevents the hack from working. > At some point, before storing or after retrieval, I use EncodeForHTML to make > that safe. Now I have > either ... I'm not sure what you're trying to accomplish. If it's to remove the part of the value containing something that would be malicious SQL if it were executable, you have to determine what exactly is that part of the string, and how you differentiate it from other parts of the value that wouldn't be malicious SQL if they were executable. But at this point, this has nothing to do with safety unless your application sends the string as-is to another application which isn't parameterizing its SQL statements. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Service-Disabled Veteran-Owned Small Business (SDVOSB) on GSA Schedule, and provides the highest caliber vendor- authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359559 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: cfqueryparam & EncodeForHTML
cfqueryparam will not prevent the malicious data from getting entered into the table. However it does prevent the malicious text from executing as T-SQL. cfqueryparam does not parse or cleanse data in any way. Basically it passes the text as a variable to the sql statement. Thus preventing any malicious code in the text from executing. So instead of T-SQL actually executing like this: select * from myTable where x='some'; delete * from myTable --' cfqueryparam is actually running T-SQL something like this. select * from myType where x= @aVar CF and the database driver are assigning @aVar your text string, @aVar = " some'; delete * from myTable -- ". So the value of the string inside the variable can never be execute, as it is not part of the actual T-SQL syntax. Just a variable value at that point. You can specify a data type to the query param. So if you specified cf_sql_integer and attempted to insert text with that parameter you would get an T-SQL error data type mismatch of sorts. Hope this helps explain a bit. ~Byron ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359558 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: cfqueryparam & EncodeForHTML
I did - many times before I sent the message. So, explain, please. >From CF: "(cfqueryparam) Verifies the data type of a query parameter ..." My example is a text field. The potential inject/bad data language is text. I just tested it and cfqueryparam did not prevent me from entering potentially bad data into the table. Larry V. Stephens -Original Message- From: .jonah [mailto:jonah@creori.com] Sent: Monday, November 03, 2014 9:46 PM To: cf-talk Subject: Re: cfqueryparam & EncodeForHTML Read up on how query param works. It will protect against Johnson & Johnson's;delete * ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359557 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: cfqueryparam & EncodeForHTML
Larry, You are already using cfqueryparam so you are "protected" for the most part. I say most part, because you could still extract the data from the db and have bad consequences if you are not considerate of the underlying data and how you use it. Like querying malicious data and using it in another cfquery without cfqueryparam. In general it is best practice to save data as it was transmitted and in as raw a format as possible and leave the logic up to the application on how to proceess and present data. Could get rebuttals on that but it is my preference. That said, it's not that you shouldn't or can't html encode. You just need to make the decision based on the requirements at hand. If you're storing html code for presentation later, this may very well make sense, where doing so for a company name probably does not. +1 on being so security aware. Byron ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359556 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: cfqueryparam & EncodeForHTML
Read up on how query param works. It will protect against Johnson & Johnson's;delete * On 11/3/14, 12:41 PM, Stephens, Larry V wrote: > Text input field > Entry is Johnson & Johnson's > I store it in a table using cfqueryparam. All is good. > > Let's say the hacked entry is Johnson & Johnson's;delete * (or something akin > to that - you get the drift) I use cfqueryparam but it won't catch the hack; > it's still just a string. > > At some point, before storing or after retrieval, I use EncodeForHTML to make > that safe. Now I have either > > Johnson & Johnson's > > or > > Johnson & Johnson's;delete * > > Supposedly, that's safe. Regex could strip out the "delete" or kill the thing > when I tried to save the data in the first place, but I tried several > examples and none seemed to work. > > The thing is, Johnson & Johnson's may display correctly on the > screen but it's not good for a search function, particularly if I have a > legacy database. > > To parody a commercial for a different product, what are you using for > protection? > > > Larry V. Stephen > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359555 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
cfqueryparam & EncodeForHTML
Text input field Entry is Johnson & Johnson's I store it in a table using cfqueryparam. All is good. Let's say the hacked entry is Johnson & Johnson's;delete * (or something akin to that - you get the drift) I use cfqueryparam but it won't catch the hack; it's still just a string. At some point, before storing or after retrieval, I use EncodeForHTML to make that safe. Now I have either Johnson & Johnson's or Johnson & Johnson's;delete * Supposedly, that's safe. Regex could strip out the "delete" or kill the thing when I tried to save the data in the first place, but I tried several examples and none seemed to work. The thing is, Johnson & Johnson's may display correctly on the screen but it's not good for a search function, particularly if I have a legacy database. To parody a commercial for a different product, what are you using for protection? Larry V. Stephen ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359552 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
