2 Replies Latest reply on Jan 20, 2015 6:49 AM by BKBK

    SQL injection

    weezerboy Level 1

      I have a very large website that is constantly under attack via SQL injection.

       

      My SQL DB is corrupted weekly.

       

      I am in the process of doing the <cfqueryparam value throughout the site.

       

      But in the short term is there something I can add to the application.cfm if I know part of the string that is always been injected?

       

      For example if I know that the string "www.paydayloans.com" is trying to be maliciously passed is there some code I can add to prevent that from being used in the query?

        • 1. Re: SQL injection
          Steve Sommers Level 4

          You can definitely add code to detect specific data and execute alternative actions. This is overly simplified but something like this:

           

            <cfloop index="local.name" list="#structKeyList(url)#">

             <cfif isSimpleValue(url[local.name]) and reFindNoCase("(www\.paydayloans\.com|www\.somethingelse\.com)",url[local.name])>

              <cfthrow message="go away!" />

             </cfif>

            </cfloop>

           

          An important note with this solution: it is very specific to known data and is not a good long-term solution to the problem. Definitely cfqueryparam'itize all your SQL queries.

          • 2. Re: SQL injection
            BKBK Adobe Community Professional & MVP

            Through which passage is the corrupt data coming in: URL or form?