2 Replies Latest reply on Nov 28, 2006 7:51 AM by cutie369

    Sending the URL Values to a string

    cutie369 Level 1
    cutie369 Nov 28, 2006 6:32 AM
      How can I pass any URL values from the URL Structure to a list or string to check for SQL injections? I am not sure what syntac to use. I know that StructKeyList(URL) will give me all of the parameters but I need the value of those Keys?
      • 160 Views
      • Tags:
        • 1. Re: Sending the URL Values to a string
          Level 7
          Newsgroup_User Nov 28, 2006 7:04 AM (in response to cutie369)
          Well cgi.query_string is a copy of the url parameters and there values.
          But what are you "checking" for sql injection in the URL values. The
          usual best practice is to use <cfqueryparam ...> to prevent the
          injection from working. It is very difficult to try and detect all the
          different ways a hacker can come at you.
          • 2. Re: Sending the URL Values to a string
            cutie369 Level 1
            cutie369 Nov 28, 2006 7:51 AM (in response to Newsgroup_User)
            Thanks for the suggestion. I am using cfqueryparam in all of my queries; however, I want to add some additional insurance and this will help. Here is my code for what I am doing.

            <cfset SQLURLChecker = CGI.QUERY_STRING>
            <cfset SQLURLChecker = IsSQLInject(SQLURLChecker)>
            <cfif SQLURLChecker IS "true">
            <cfset WRITESQLURLChecker = CGI.QUERY_STRING>
            <!--- This writes a record of the offending party --->
            <cffile action="append"
            file="C:\projects\oam\sqllog.txt"
            output="Time: #DateFormat(Now(),'MMMM/DD/YYYY')# #TIMEFORMAT(Now(),'h:mm tt')# Referring Page: #CGI.SCRIPT_NAME# IP Address: #CGI.REMOTE_ADDR# Illegal Words: #WRITESQLURLChecker#">
            <cflocation url="#CGI.SCRIPT_NAME#">
            </cfif>