I learned it the hard way. The following CFQUERYPARAM statement is not enough to prevent SQL injection Attack. <cfquery name="Recordset1" datasource="cafetownsend"> SELECT * FROM COMMENTS WHERE COMMENT_ID =<cfqueryparam value="#URL.COMMENT_ID#" cfsqltype="cf_sql_numeric"> </cfquery>
A Chinese website was able to inject data with Trojan virus. Be aware! Please use store procedures for all your queries.
I thought I would post some of my thoughts on this topic in the spirit of sharing.
Firstly, Daniel, I would use CF_SQL_INTEGER rather than NUMBER. My rule of thumb for number format anything is "am I doing calculations with it?". If the answer is no, and the numbers are whole, use INTEGER.
To guard against SQL injection I use the full CFQUERY PARAM (<cfqueryparam cfsqltype="CF_SQL_VARCHAR" value="#session.user#" null = "#YesNoFormat(NOT Len(Trim(session.user)))#">)
Also, monitor your URL strings in the application.cfm file with something like...
<cfif #FindNoCase("|",cgi.query_string)# eq 1><cfabort showerror="Sorry, You appear to be attempting to hack our site."></cfif>
and on pages that I can isolate as action pages I police traffic by domain. If they are not arriving at that page FROM my domain, they get bounced. For example.. <cfif (findnocase("www.mydomain.com",cgi.http_referer) is 0)><cfscript> StructClear(session); </cfscript> <cflocation url="http://www.fbi.gov"></cfif>
I just wanted to share some ticks I use. I am sure this is not all there is that can be done. This is just what I have arrived at from experience.
Tony
This message was edited by tgruen on 3-7-11 @ 11:14 PM
daniel
08-12-2008 @ 7:23 AM
