|August 8, 2008 04:00 PM EDT||
If you're using ColdFusion, to harden your website from sql injection attacks add the following code to your Application.cfm file. If you're not using ColdFusion, you can translate this code into the language you're using and it should still work.
<!--- CREATE SQL REGULAR EXPRESSION--->
<!--- CHECK FORM VARIABLES --->
<!--- CHECK URL VARIABLES --->
This code would reside in your Application.cfm file which gets executed every time a ColdFusion file is requested on the server. What it does is it checks all form and URL variables to see if they contain any patterns matching an SQL SELECT, UPDATE, INSERT, DELETE or DROP statement.
If a match is found, the user is redirected to a message page indicating that a possible SQL Injection attack was made and the SQL injection is prevented.
|littleviews 05/15/09 01:37:00 AM EDT|
I could not make this work in CFMX8. Does anyone have any suggestions?
|cmosdall 10/15/08 03:07:54 AM EDT|
There’s a very nasty SQL injection attacking our sites at the moment:
DECLARE @S CHAR(4000);
You need to add DECLARE and EXEC to the regex.
|klevenson 09/18/08 12:25:41 PM EDT|
If I change sqlregex = "select" for testing the code works fine.
The complete regular expression as listed above doesn't seem to work in CFMX8.
|distinct 09/03/08 10:17:09 AM EDT|
Whilst it can be useful to attempt to detect SQL injection; using detection as a defence mechanism is risky.
The only way to really be sure that no SQL injection will be possible in ColdFusion is to ensure all queries use the cfqueryparam tag around user supplied input. Additionally, all user input should be validated server side in order to ensure it matches a specific and expected data type and format.
In programming, one can always prove what is true, but not always prove what is false. Trying to protect a system by determining what user input is bad is shakey. By contrast, protecting a system by determining what user input is good is solid. Essentially, a system should only accept and process user input which adheres to an expected datatype and format. Everything else should be rejected.
|pgwalters 07/30/08 11:08:54 AM EDT|
And, if I may, add TRUNCATE TABLE (or the equivalent for your DBMS)
|cfengineers 07/30/08 09:22:00 AM EDT|
Dont forget that DECLARE should also be in the list.
- Where Are RIA Technologies Headed in 2008?
- The Next Programming Models, RIAs and Composite Applications
- AJAX World RIA Conference & Expo Kicks Off in New York City
- Constructing an Application with Flash Forms from the Ground Up
- Building a Zip Code Proximity Search with ColdFusion
- Personal Branding Checklist
- CFEclipse: The Developer's IDE, Eclipse For ColdFusion
- Has the Technology Bounceback Begun?
- Cloud People: A Who's Who of Cloud Computing
- i-Technology Viewpoint: We Need Not More Frameworks, But Better Programmers
- Adobe Flex 2: Advanced DataGrid
- Web Services Using ColdFusion and Apache CXF