trying to secure code from sql injection

anyway you can give me a quick example of how i would then add

#Replace("#TextData#", Chr(10), "<br>", "ALL")#

or

#CreateODBCDateTime(Event_SDate)#


into a database while securing it from hacks?

oh wait i just tried this and it worked for the long text

<CFSET Event_Description = "#Replace("#longtext#", Chr(10), "<br>", "ALL")#">
<cfqueryparam CFSQLType = "CF_SQL_VARCHAR" value="#longtext#">

and it worked so now i am just confused on how to get this one into the database saftly

#CreateODBCDateTime(Event_SDate)#

vamike999 wrote:
> anyway you can give me a quick example of how i would then add
>
> #Replace("#TextData#", Chr(10), "<br>", "ALL")#
>
> or
>
> #CreateODBCDateTime(Event_SDate)#
>
>
> into a database while securing it from hacks?
>

<cfqueryparam value='#Replace("#TextData#", Chr(10), "<br>", "ALL")#'
CFSQLType='CF_SQL_VARCHAR'>

AND

<cfqueryparam value='#CreateODBCDateTime(Event_SDate)#;
CFSQLType='cf_sql_timestamp'>

Be aware that there are 'cf_sql_time' and 'cf_sql_date' options as well
depending on exactly what data you want to put into the database.

that worked very good. Thanks so much 🙂

Funny been working on exactly the same thing today,... specifically for script injection/remote command execution....
here is what I did:

1] Called from the application.cfm
<cfinclude template="#application.ServerRoot#/cfmx/sanitize.cfm">
<!--- xss protection/input sanitisation --->
<cfscript>sanitize();</cfscript>


2] the function.
<cfscript>

function sanitize() {
// This function detects and prevents sql/script injection type attacks and remote command execution
// we just need to clean up the regex statements
attack = 0;
email = '';

if (IsDefined('form')) {
for (key in form) {
if (ReFindNoCase('<script',form[key],'1','false') gt 0 ){attack=1;email = email&"<br />FORM STRING FOUND";}
}

if (ReFindNoCase('script',cgi.QUERY_STRING,'1','false') gt 0 ){attack=1;email = email&"<br />ILLEGAL URL STRING FOUND";}
}
if (attack eq 1) {
//populate vars
email = email&"<br />";
email = email&"<br />";
email = email&"<br />cgi.http_referer = "&cgi.http_referer;
email = email&"<br />cgi.http_user_agent = "&cgi.http_user_agent;
email = email&"<br />cgi.path_info = "&cgi.path_info;
email = email&"<br />cgi.path_translated = "&cgi.path_translated;
email = email&"<br />cgi.query_string = "&cgi.query_string;
email = email&"<br />cgi.remote_Addr = "&cgi.remote_Addr;
email = email&"<br />cgi.remote_host = "&cgi.remote_host;
email = email&"<br />cgi.remote_user = "&cgi.remote_user;
email = email&"<br />cgi.request_method = "&cgi.request_method;

//send mail
cfmail("application.adminmail","A possible web attack has been detected",email,"html");
//getPageContext().forward("/denied.cfm");
cflocation("/denied.htm","no");
}
}
</cfscript>


- yep, it's not finished, the regex's need to be written....
and yep every form, every request parses through = ++ overhead,...

but it works..

and it should be easy to add some rewrite rules to form values:
REReplaceNoCase(tmp, "(</?(APPLET|EMBED|FRAME|FRAMESET|IFRAME|ILAYER|LAYER|META|OBJECT|PARAM|SERVER)[^>]*>)", "", "ALL");





-regards
-sean

check udf

there is UDF for striptext

You can find different resources here:

http://www.cflib.org/library.cfm?ID=1