Home | Projects | Downloads | Contact Me | SQL Injection Attacks

A Stop Gap Measure for Current SQL Injection

Posted At : July 23, 2008 6:09 PM | Posted By : Shane Zehnder
Related Categories: Coldfusion,Development

Okay, we all know the best way to secure a query is the use of a CFQueryParam statement. I sent off a quick IM to a friend of mine today telling him I had a few attacks on my site and it would behoove him to make sure he battens down all the hatches. I know he has quite a few sites and as he was in a panic attack I looked around to help him find a quick solution.

After reading Mark Kruger's article SQL Injection Part II (Make Sure You Are Sitting Down) I came up with something quick that is inelegant, but it works for this attack method.

Just add the following code to the top of your application.cfm file (or the appropriate section in application.cfc).

<cfif len(CGI.QUERY_STRING) AND findNoCase("declare",CGI.QUERY_STRING)>
-Insert some cheeky comments here-
<cfabort />
</cfif>

I DO NOT suggest using this for very long, but it could buy you some time if you need to update some queries.

Comments (4) |

Print |

Send |

del.icio.us |

Digg It! |

Linking Blogs | 680 Views

Comments

[Add Comment]

What about form fields? The malicious code can also be passed through them just as easily. And I'd hate to abort out a request because someone typed 'declare' in a textarea.

# Posted By todd sharp | 7/23/08 6:49 PM

Aye. Well it does not take the form scope into account so it COULD be bad news it you are sending forms using GET instead of POST.

The best way to avoid the situation altogether is using cfqueryparam. As I said it is a VERY inelegant solution but it does beat the alternative.

Thanks for pointing that out though Todd. Sharp as always.

A little play on words there. ;)

# Posted By Shane Zehnder | 7/23/08 7:13 PM

Well what I meant was, since it doesn't take the form scope into account you'd miss an injection passed via a form POST. But as you said, it's a stop gap and if it were my sites I'd be all over fixing the queries ASAP.

And thanks for the compliment :)

# Posted By todd sharp | 7/23/08 7:26 PM

Russ Michaels just did a post with a much more secure version, IMO.

http://russ.michaels.me.uk/index.cfm/2008/7/24/SQL...

This protects the url and form scope, plus they can still have DECLARE in a textarea. :)

# Posted By Shane Zehnder | 7/24/08 12:32 PM

[Add Comment]

WhosOnCFC

Users Online: 2
Most users since reset: 12
10/11/08 at 5:58:43 AM
This version: 2.2.1.1

Download Now

Calendar

Sun	Mon	Tue	Wed	Thu	Fri	Sat
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30	31

Archives By Subject

Adobe (2) [RSS]
Adobe AIR (1) [RSS]
BlogCFC (24) [RSS]
Blogging (19) [RSS]
CFEclipse (4) [RSS]
Coldfusion (71) [RSS]
Development (57) [RSS]
ExplorerG3 (3) [RSS]
Galleon Forums (1) [RSS]
General (21) [RSS]
IT (5) [RSS]
jQuery (3) [RSS]
Lighthouse Pro (2) [RSS]
Linux (2) [RSS]
Live Writer (3) [RSS]
Model-Glue (2) [RSS]
Off Topic (8) [RSS]
Rants (8) [RSS]
Rapid Application Development (1) [RSS]
Transfer ORM (6) [RSS]
TV/Movies (1) [RSS]
Warcraft (1) [RSS]
WhosOn (10) [RSS]
WhosOnCFC (54) [RSS]
WhosOnCFCStats (21) [RSS]

RSS