Is this a bug or a "security feature" ?

Question

I had a nagging bug in coldfusion where every once in a while
when people entered text and I inserted it into an MS SQL database
it would throw the error "Statement is not allowed." I got a clue
when a customer put in the words drop and program in their
description for something, when I took the words out it worked
fine. I gave the datasource permission to grant, revoke, drop, ect
ect in the advanced datasource options and poof, it works! So is
this a bug or some kind of injection attack prevention? The text
was actually formatted in an FCK editor and put within single
quotes in an UPDATE statement.

Newsgroup_User · Answer

chazman113 wrote:> I had a nagging bug in coldfusion where every once in awhile when people > entered text and I inserted it into an MS SQL databaseit would throw the error > "Statement is not allowed." I got a clue when a customerput in the words drop > and program in their description for something, when Itook the words out it > worked fine. I gave the datasource permission to grant,revoke, drop, ect ect > in the advanced datasource options and poof, it works!So is this a bug or some > kind of injection attack prevention? The text wasactually formatted in an FCK > editor and put within single quotes in an UPDATEstatement. > It is not a bug, and you have definitely disabled a lot ofsecurity by opening up your DSN like that. It helps to look at this howeach of various systems look at it.On the ColdFusion end, it is just working with strings. Thesecurity settings in the administrator are basically string searches.I.E. Don't allow these problematic sub-strings in the SQL string.Anyone who has worked with more then the most basic string manipulationunderstands how convoluted it quickly becomes and how nigh impossible itis to make up a foolproof rule.Once the database receives the query string, it tokenizeswhat it receives and starts processing the commands. If one just uses than everything is received as one longstring and the database must make it's best attempt to determine which partsof the strings are commands and which parts are parameters and whichparts are data. It is relatively easy to confuse the database in thisprocess so that information meant to be data is processed as a command.This is the essence of a SQL injection attack.If one uses the tag or storedprocedures, the developer more explicitly defines which parts of the SQL iscommands and which part is data. Now the database knows what part of theSQL is data and it does not even try to tokenize it for commands.Thus the simpler and more secure solution to your originalproblem would be to use for these fields that couldpotentially and legitimately contain strings that could look like SQLcommands so that the database would know to not even look there. Generally itsa best practice to always use tags in yourColdFusion SQL.

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded