Preventing SQL Injection Attacks in ColdFusion

Database Management
First download your logfiles from the web server and use Textpad to view them, search for the word DECLARE, you will find the requests that were used to exploit the database.  There you can identify what variable they used.  If they were using the variable 'id' which is always an integer you could use the following line to secure that value so that it can only be a number and nothing else using this:

<cfparam name="id" default="0" type="integer">

Also here are other commands that can be added to the cfm code that will analyze other variables for the bad EXEC and DECLARE values.

<cfif cgi.SCRIPT_NAME contains "EXEC(" OR cgi.PATH_INFO contains "EXEC(" OR cgi.QUERY_STRING contains "EXEC("><cfabort></cfif>

<CFIF val(id) EQ 0 AND (id CONTAINS "http" OR id CONTAINS "user" OR id CONTAINS "DECLARE")></cfif>


The above command would need to be modified for the 'id' to be whatever the name of the variable that is being used in your code that is being exploited.
 

Consider using http://qpscanner.riaforge.org/ to find weakness in your code.  You can then use the above validation commands or type="integer" commands to secure your code.

Use <cfqueryparam cfsqltype = "cf_sql_integer" value="#variable#"> to wrap your integer variable values that will be passed in the query string. This will only allow numerical characters (0-9) in the variable value. Characters like ' " or ; will product errors.

For alpha-numercial charactors use <cfqueryparam cfsqltype = "cf_sql_varchar" value="#variable#"> to wrap the variables values. This allows only a-zA-Z0-9 in the variable values. Again characters like ' " or ; will product errors.

When you are dealing with numerical or alpha characters (a-zA-Z0-9) in your passed variable values you can add a maxlength="20" to the cfqeryparam to limit the length of the variable value.

Add Feedback