One of my favorites is the use of the SQL Server system stored
procedure xp_cmdshell to open a command shell, which can be used to
fetch a file from an attacker's FTP server and run it.
I always knew Dave was a cracker (not hacker!) extraordinaire :-)
Oh, hardly. I didn't discover it
Is CFID and CFTOKEN vulnerable to this if they are stored as
COOKIES and you are using a DB to store client variables?
Since I assume you could easily modify the CFID and CFTOKEN
in your cookie file that browser maintains.
To be honest, I don't really know what the exact SQL is that's
Are you using cfqueryparam on all your values too? This is just one
more layer to help out.
Kevin
-Original Message-
From: Ian Lurie [mailto:[EMAIL PROTECTED]]
Sent: Friday, April 12, 2002 10:17 AM
To: CF-Talk
Subject: Preventing SQL injection attacks...?
Hi all,
Had some
If you are using 4.5 or above, you can use the cfqueryparam and that helps.
You can also do checks to see if your variables are integers or not(if that
is what you are passing), you can also compare vars to make sure what you
passed is whats there..
There are also many other things you can do..
make sure you are at the latest MDAC and have all service
pack applied for SQL. I think that the latest MDAC prevents
attacks like this, but I could be wrong.
No, MDAC does nothing to prevent SQL injection attacks, which, after all,
use perfectly valid SQL statements.
Dave Watts, CTO, Fig
:[EMAIL PROTECTED]]
Sent: Friday, April 12, 2002 8:30 AM
To: CF-Talk
Subject: RE: Preventing SQL injection attacks...?
make sure you are at the latest MDAC and have all service
pack applied for SQL. I think that the latest MDAC prevents
attacks like this, but I could be wrong.
No, MDAC does
-
From: Dave Watts [mailto:[EMAIL PROTECTED]]
Sent: Friday, April 12, 2002 10:30 AM
To: CF-Talk
Subject: RE: Preventing SQL injection attacks...?
make sure you are at the latest MDAC and have all service
pack applied for SQL. I think that the latest MDAC prevents
attacks like this, but I could
PROTECTED]]
Sent: Friday, April 12, 2002 10:36 AM
To: CF-Talk
Subject: RE: Preventing SQL injection attacks...?
Dave,
Could you show me an example of an SQL injection attack? I want to test
my app
to see what I need to do to protect against this.
Thanks,
Brian Yager
President - North AL Cold
.
[EMAIL PROTECTED]
http://www.spectrumastro.com
-Original Message-
From: Ian Lurie [mailto:[EMAIL PROTECTED]]
Sent: Friday, April 12, 2002 8:30 AM
To: CF-Talk
Subject: RE: Preventing SQL injection attacks...?
That's what I thought.
Man, you think you're an expert, and then some 13 year old
[mailto:[EMAIL PROTECTED]]
Sent: Friday, April 12, 2002 10:40 AM
To: CF-Talk
Subject: RE: Preventing SQL injection attacks...?
Had some interesting errors in our logs yesterday. It
appears that someone's trying to hack our database by
inserting SQL query language into the URL string.
We're
This is probably the biggest security problem with web applications. It
boils down to securing and validating your input. Most of these attacks
are successful only when you're evaluating a number - since a string
won't execute SQL, but only evaluate it as a string input. So if you're
expecting
stored procedures are your friends.
they enforce strict datatypes.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: 12 April 2002 17:11
To: CF-Talk
Subject: RE: Preventing SQL injection attacks...?
This is probably the biggest security problem
won't execute SQL, but only evaluate it as a string input. So if you're
expecting numbers, then validate, using isNumeric() or CFQueryParam.
Or if you know a value must be numeric, wrap a val() around it. That will
knock any text strings down to 0 and prevent an SQL error from being thrown,
:[EMAIL PROTECTED]]
Sent: Friday, April 12, 2002 12:36 PM
To: CF-Talk
Subject: RE: Preventing SQL injection attacks...?
Could you show me an example of an SQL injection attack? I
want to test my app to see what I need to do to protect
against this.
All of these sorts of attacks rely
There is a custom tag... cf_formfilter on the developers exchange that I've been
using... It searches the caller.form.fieldnames structure looking for all sorts of
nasty includes.
After just reading it again I think I can also make it filter url submitted input as
well.
Anyone here use or
, April 12, 2002 12:01 PM
To: CF-Talk
Subject: RE: Preventing SQL injection attacks...?
Let's say your query is:
Select productName from products where productID = #url.productid#
If the url is page.cfm?productid=2 then your db sees
Select productName from products where productID = 2
[EMAIL PROTECTED] wrote:
you can't forget that form fields also play a part in this. after reading
the informaiton provided in jeff's link, it did shine a light. although i
have been taught from the beginning to always use val() around numberic
values (thank Adam) and to use regex to validate
: Preventing SQL injection attacks...?
won't execute SQL, but only evaluate it as a string input. So if you're
expecting numbers, then validate, using isNumeric() or CFQueryParam.
Or if you know a value must be numeric, wrap a val() around it. That will
knock any text strings down to 0 and prevent
, April 12, 2002 1:37 PM
To: CF-Talk
Subject: Re: Preventing SQL injection attacks...?
cfparam type=date|numeric|string|boolean|UUID|... can be used for
validating almost anything. It's an underused function.
Sharon DiOrio
- Original Message -
From: Justin Scott [EMAIL PROTECTED]
To: CF
the equivalent SQL statement of:
select * from table where id = '12;drop table yourtable'
- Original Message -
From: [EMAIL PROTECTED]
Date: Friday, April 12, 2002 11:00 am
Subject: RE: Preventing SQL injection attacks...?
let's say you have a text field that is 100 characters long. you
... I better go test that to be sure grins
Shawn Grover
-Original Message-
From: Brian Scandale [mailto:[EMAIL PROTECTED]]
Sent: Friday, April 12, 2002 10:53 AM
To: CF-Talk
Subject: Re: Preventing SQL injection attacks...?
There is a custom tag... cf_formfilter on the developers
-321-4703
[EMAIL PROTECTED]
http://www.sheriff.org
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Friday, April 12, 2002 1:45 PM
To: CF-Talk
Subject: Re: RE: Preventing SQL injection attacks...?
cfqueryparam does in fact prevent that code from running
http://www.houseoffusion.com/hof/security/database.cfm
Joe Hoffman mailto:[EMAIL PROTECTED]
National Institutes of Health
Center for Information Technology
Division of Computer System Services
-Original Message-
From: Ian Lurie [mailto:[EMAIL PROTECTED]]
Sent: Friday, April 12, 2002
What if you added a replace statement, doubling up on all single quotes?...
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Friday, April 12, 2002 10:47 AM
To: CF-Talk
Subject: RE: RE: Preventing SQL injection attacks...?
still. if i had the value
tony
#
cfsqltype=CF_SQL_VARCHAR
It would create the equivalent SQL statement of:
select * from table where id = '12;drop table yourtable'
- Original Message -
From: [EMAIL PROTECTED]
Date: Friday, April 12, 2002 11:00 am
Subject: RE: Preventing SQL injection attacks...?
let's say you have
No, it won't.
It'll produce the SQL equivalent of:
select * from mytable where username = 'tony ''drop table tablename --'
- Original Message -
From: [EMAIL PROTECTED]
Date: Friday, April 12, 2002 11:46 am
Subject: RE: RE: Preventing SQL injection attacks...?
still. if i had
, 2002 2:03 pm
Subject: RE: RE: RE: Preventing SQL injection attacks...?
i will have to take your word for it since i have probably never
use cfquery
param, nor intend to. i personally always use stored procedures
and i do all
of my validation myself. if cfqueryparam works for you, then use
i will have to take your word for it since i have probably
never use cfquery param, nor intend to. i personally always
use stored procedures and i do all of my validation myself.
if cfqueryparam works for you, then use it and god bless. i
have been taught differently and personally i
This code would fail my own code review. I don't allow any
url. or form. variables inside CFQUERY statements. This,
however, might pass.
!--- Validate ID ---
cfif #isdefined(id)# is true
cfset theId=#val(htmleditformat(REreplacenocase(id,
[*,;^:?|\], , ALL )))#
cfelse
why not just use cfqueryparam, it validates and it makes your
sql code run faster???
While using CFQUERYPARAM can provide better performance than not using it,
certain platforms will benefit more from stored procedures than from
prepared statements - SQL Server, for example. On the other
30 matches
Mail list logo