I have a site page that is only using the query below and the site keeps
getting hit by SQL hacks. I have looked through every SQL query and all the
queries are using cfqueryparam value=#URL.???# cfsqltype=cf_sql_numeric
so they cant be hacked.
Can someone explain how I can amend this query
Anthony Doherty wrote on 2010-03-22:
I have a site page that is only using the query below and the site keeps
getting hit by SQL hacks. I have looked through every SQL query and all
the queries are using cfqueryparam value=#URL.???#
cfsqltype=cf_sql_numeric so they cant be hacked.
What
I have a site page that is only using the query below and the site
keeps getting hit by SQL hacks. I have looked through every SQL query
and all the queries are using cfqueryparam value=#URL.???#
cfsqltype=cf_sql_numeric so they cant be hacked.
Can someone explain how I can amend this
I'm making certain assumptions but are you ensuring your feedback is
clean when it's saved? If it's not, that'd explain how they're getting
nastiness into the DB which is the called in that query.
If not, explain a little more of the attack as that query would not be
susceptible to sql injection
The Feedback section is entered with an administration section and this is
locked down with a username and password.
The feedback section is only a text field and the person using the site lets
say is not clued in!
Throughout the site i have a number of pages that are database driven and the
That's not SQL injection, it's HTML injection. (Or XSS as the fashionable term
is).
You need to use HtmlEditFormat (or similar function) to ensure all content
output to HTML pages gets appropriately escaped.
(If you need to allow certain HTML, escape it all, and then unescape only the
safe
The query you provided is only retrieving the offending code but would
likely not be the source. I'd look at other sources.
1. Check if the javascript is saved in the database along with the
feedback. If it is, then start looking at all the places where the
feedback is entered.
2. Are you
How can I check use this function 'HtmlEditFormat' on my FEEDBACK field?
Also before I removed the code there was some javascript being stored in the
FEEDBACK field as well.
I dont think they are entering the HACK from the administration section but
could this type of HACK be made from a
1. You'd use HtmlEditFormat on any page that displayed the feedback.
So on the public page if you show it back to the user and on the admin
page. Generally, anywhere you're using #feedback# you'd want to do
#htmlEditFormat(feedback)#
2. Yes, if you have a public form that is a simple text box
The query you wrote is not hackable via SQL injection. No changes need
to be made to it.
-Mike Chabot
On Mon, Mar 22, 2010 at 7:04 AM, Anthony Doherty
a.dohe...@advancesystems.co.uk wrote:
I have a site page that is only using the query below and the site keeps
getting hit by SQL hacks. I
-Original Message-
From: Mike Chabot [mailto:mcha...@gmail.com]
Sent: Monday, March 22, 2010 9:25 AM
To: cf-talk
Subject: Re: Coldfusion SQL Hack
The query you wrote is not hackable via SQL injection. No changes need
to be made to it.
-Mike Chabot
On Mon, Mar 22, 2010 at 7:04 AM, Anthony Doherty
, 2010 8:56 AM
To: cf-talk
Subject: RE: ColdFusion SQL Hack
I would ensure that every single update / insert on your site is using
cfqueryparam's for security sake, however It sounds to me like your issue is
not SQL injection.. but more XSS attacks. An XSS attack is where data is
inserted
I have added the #htmlEditFormat# TAG and will monitor the site over the coming
weeks and she what happens
Thanks for everyone who helped!
~|
Want to reach the ColdFusion community with something they want? Let them know
on
I have added the #htmlEditFormat# TAG and will monitor the site over
the coming weeks and she what happens
Thanks for everyone who helped!
The Feedback section is entered with an administration section and this is
locked down with a username and password.
If you say the person doing
I would also add this:
http://www.cflib.org/udf/FormStripHTMLhttp://www.cflib.org/udf/FormStripHTML
strip out the html before it goes into the database.
This query below is only hackable if the County.ID is a text field
and people can enter it from a website. (Like if you ask for an
15 matches
Mail list logo
