• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

SQL Injection - cfqueryparam and other techniques to stop abuse?

Community Beginner ,
Mar 17, 2010 Mar 17, 2010

Copy link to clipboard

Copied

We have been having a lot of issues with SQL injection lately and so we are trying various methods to secure the data better.

First off we have been utlizing cfqueryparam on the queries that are being hit. I am also optimizing the data tables so that more maxlengths are in place.

What else can be done to improve security? I have looked up everything and anything on the internet and keep seeing the cfqueryparam.

Does changing the variables or table names make any difference? We are trying that, but I want to make sure it is not a waste of our time.

Thanks for any other suggestions.

TOPICS
Advanced techniques

Views

731

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Engaged ,
Mar 17, 2010 Mar 17, 2010

Copy link to clipboard

Copied

CFqueryparam is a good fist step, though you should note that it will not protect some queries.  For example if you have a sort by or order by that is dynamic, cfqueryparam wont help in that case.  You will need to review data and validate for that.

You should also be checking for XSS vulnarabilities.

http://www.12robots.com/index.cfm/2008/8/4/Persistent-XSS-Attacks-and-countermeausures-in-ColdFusion

The blog above has a great number of CF sercurity related posts.

Pete Freitag has a nice security scanner that will look at your CF server and highlight any missing patches and some other issues

http://www.petefreitag.com/item/721.cfm

There are some open source projects that will also filter out common sql injection and xss attacks on a code level.

http://portcullis.riaforge.org/

Finally there are several conferences in the CF world coming up, and all surely have some security sessions.  You may want to attend.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Mar 18, 2010 Mar 18, 2010

Copy link to clipboard

Copied

Thanks for the information. What about changing table names and variables? Is that helpful or we wasting our time?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Valorous Hero ,
Mar 18, 2010 Mar 18, 2010

Copy link to clipboard

Copied

I would say mostly a waste of time.

As far as I know, most SQL injection attacks are about getting the database to work against itself.  So the attacker needs little or no knowledge of the database schema.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Contributor ,
Mar 19, 2010 Mar 19, 2010

Copy link to clipboard

Copied

While you're at it...

http://www.owasp.org/index.php/Main_Page

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Advocate ,
Mar 19, 2010 Mar 19, 2010

Copy link to clipboard

Copied

cfqueryparam is by far the most important precaution. Make sure you use it everywhere, not just in the WHERE but also in the VALUES of an insert or the SET of an update.

Afer that the most important thing to do is database permissions. Make sure your application runs with the least privileges possible. If your application doesn't use stored procedures, remove their permissions. Make sure the account that is used from CF only has SELECT, INSERT, UPDATE and DELETE privileges, and can't CREATE or DROP. If you have a site with a dedicated admin area, try setting up two datasources using different accounts. A read-only account for the public website, a read-write account for the admin area. Etc.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Mar 19, 2010 Mar 19, 2010

Copy link to clipboard

Copied

LATEST

I disagree.

First, relying on cfqueyparam for security issues means that you might have disregarded one of those "best practices" - validate user input before you use it.

Regarding database permissions, I agree with your general idea.  Regarding details, I think they depend on the situation.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation