Preventing an SQL Injection Attack
Ben Forta’s blog has an entry about SQL injection attacks when using ColdFusion. Manuals and tutorials never talk about preventing these types of attacks, so I’m not surprised that there are still vulnerable sites.
In short, the vulnerability occurs when a site uses data in the URL to dynamically alter the SQL statement. Using a semicolon, allows a hacker to append another sql statement. This vulnerability occurs mostly with non-text fields. So anytime you’re referring to a key field which is usaually numeric.
The solution: (1) use cfparam to define the variable’s type, (2) the page should check that the url variable exists and makes sure it’s the expected type and (3) use cfqueryparam to explicitly define the varaiable’s value.
Resources:
Ben’s Post: SQL Injection Attacks, Easy to Prevent, But Apparently Still Ignored.
CF Cookbook post: How can I prevent SQL injection attacks?
Macromedia Security bulletin ASB99-04 Multiple SQL statments in dynamic queries.
Leave a Reply