Copy link to clipboard
Copied
We have been having a lot of issues with SQL injection lately and so we are trying various methods to secure the data better.
First off we have been utlizing cfqueryparam on the queries that are being hit. I am also optimizing the data tables so that more maxlengths are in place.
What else can be done to improve security? I have looked up everything and anything on the internet and keep seeing the cfqueryparam.
Does changing the variables or table names make any difference? We are trying that, but I want to make sure it is not a waste of our time.
Thanks for any other suggestions.
Copy link to clipboard
Copied
CFqueryparam is a good fist step, though you should note that it will not protect some queries. For example if you have a sort by or order by that is dynamic, cfqueryparam wont help in that case. You will need to review data and validate for that.
You should also be checking for XSS vulnarabilities.
http://www.12robots.com/index.cfm/2008/8/4/Persistent-XSS-Attacks-and-countermeausures-in-ColdFusion
The blog above has a great number of CF sercurity related posts.
Pete Freitag has a nice security scanner that will look at your CF server and highlight any missing patches and some other issues
http://www.petefreitag.com/item/721.cfm
There are some open source projects that will also filter out common sql injection and xss attacks on a code level.
http://portcullis.riaforge.org/
Finally there are several conferences in the CF world coming up, and all surely have some security sessions. You may want to attend.
Copy link to clipboard
Copied
Thanks for the information. What about changing table names and variables? Is that helpful or we wasting our time?
Copy link to clipboard
Copied
I would say mostly a waste of time.
As far as I know, most SQL injection attacks are about getting the database to work against itself. So the attacker needs little or no knowledge of the database schema.
Copy link to clipboard
Copied
While you're at it...
http://www.owasp.org/index.php/Main_Page
Copy link to clipboard
Copied
cfqueryparam is by far the most important precaution. Make sure you use it everywhere, not just in the WHERE but also in the VALUES of an insert or the SET of an update.
Afer that the most important thing to do is database permissions. Make sure your application runs with the least privileges possible. If your application doesn't use stored procedures, remove their permissions. Make sure the account that is used from CF only has SELECT, INSERT, UPDATE and DELETE privileges, and can't CREATE or DROP. If you have a site with a dedicated admin area, try setting up two datasources using different accounts. A read-only account for the public website, a read-write account for the admin area. Etc.
Copy link to clipboard
Copied
I disagree.
First, relying on cfqueyparam for security issues means that you might have disregarded one of those "best practices" - validate user input before you use it.
Regarding database permissions, I agree with your general idea. Regarding details, I think they depend on the situation.