cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
search
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0
Upvote

Form field security

riffraff-2O2uHw
New Here ,
Oct 06, 2007 Oct 06, 2007

Copy link to clipboard

Copied

I have a highly controversial website that has been gathering information for a class action against a top 5 US bank. Recently their has been multiple and systematic attempts to access my database using sql commands submitted through various form fields. These attempts and the results they might produce are above my scope of knowledge and I am requesting assistance in how to thwart these attacks and what info it may have revealed.

The attacks submit sql code through form fields in blobks of 8 and 16 attempts simultaneously. Here is an example of what is being submitted:

1 declare @q varchar(8000) select @q = 0x574149544

I have created a list of keywords (declare, varchar, etc) that will trigger a cfabort but this is placed after an insert statement to capture what was submitted.

Any insight would be greatly appreciated.
TOPICS
Advanced techniques

Views

271

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
replies 4 Replies 4
latest latest Jump to latest reply
Stressed_Simon
Engaged ,
Oct 06, 2007 Oct 06, 2007

Copy link to clipboard

Copied

Use cfqueryparam and then you are locked up as tight as a drum!

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
riffraff-2O2uHw
New Here ,
Oct 06, 2007 Oct 06, 2007

Copy link to clipboard

Copied

In Response To Stressed_Simon
Interseting read on cfqueryparam, thanks. Can anyone tell me what [1 declare @q varchar(8000) select @q = 0x574149544] does and what results it may have yeilded?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
riffraff-2O2uHw
New Here ,
Oct 09, 2007 Oct 09, 2007

Copy link to clipboard

Copied

In Response To riffraff-2O2uHw
The latest submit attempt contained the following:

[*map/map_all_ag2.txt||10||r||1|| @]

Does anyone have any insight on this or the previous code as to what the user was able to access?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guest
Oct 09, 2007 Oct 09, 2007

Copy link to clipboard

Copied

LATEST
You could try entering the values in your form fields to see what's displayed. Of course, do this on a duplicate test system.

Hackers are creative and not having a job can give you lots of time to make peoples lives lousy.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation
ColdFusion User Guide
Copyright © 2024 Adobe. All rights reserved.
Using the Community Experience League Terms of Use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices