4 Replies Latest reply on Oct 9, 2007 10:35 AM by CFMXPrGrmR

    Form field security

      I have a highly controversial website that has been gathering information for a class action against a top 5 US bank. Recently their has been multiple and systematic attempts to access my database using sql commands submitted through various form fields. These attempts and the results they might produce are above my scope of knowledge and I am requesting assistance in how to thwart these attacks and what info it may have revealed.

      The attacks submit sql code through form fields in blobks of 8 and 16 attempts simultaneously. Here is an example of what is being submitted:

      1 declare @q varchar(8000) select @q = 0x574149544

      I have created a list of keywords (declare, varchar, etc) that will trigger a cfabort but this is placed after an insert statement to capture what was submitted.

      Any insight would be greatly appreciated.