Skip to main content
A
Anonymous
March 31, 2010
Question

reg expression in sql insertion attack

  • March 31, 2010
  • 2 replies
  • 1377 views

one of my client sites has be under attack for the last several months and seems like i have pretty much stopped it (i hope).

what i am trying to do now is find out their exact string, ip, time, etc.

i am searching for strings like update, datasource, select etc.

example:

<cfif (ListContainsNoCase(myfield, "select"))

OR (ListContainsNoCase(myfield, "update"))...

the problem is when i come across a word like selection, it sets off trigger.

i need a reg expression where select stands alone or with special characters on either side but passes if part of a word such as "reselet" or "selection"

tnx in advance

This topic has been closed for replies.

2 replies

T
TLC-IT
Inspiring
April 12, 2010

Obviously, the right way (if you will...) to solve this kind of problem is:  <cfqueryparam>.

In other words...  never allow user-contributed text to appear, in any form or under any circumstances, within an SQL query that ColdFusion ever presents to the server.  The one and only way that such text should appear is:  as a parameter.

An SQL server will never interpret a query-parameter as possibly being part of the SQL string.  It will have already parsed the SQL text, already generated the execution plan, and be ready to execute it.  The string, no matter what it may contain, will only be interpreted as "character data."

Every "injection attack," no matter what flavor it is, always relies upon mis-interpretation and/or mis-handling of the data that is being "injected."  But there are always ways to prevent this.

It's unfortunate that the ColdFusion language has no notion of Perl's "taint mode," which actually flags individual data-values(!) as "potentially tainted" as they flow through the system.

G
Gabriel_Landes
Participant
April 14, 2010

TLC-IT's point is valid in that SQL injection attacks thrive on misinterpreted statements - you should use cfqueryparam religiously!

BUT, you do still need to be very careful with usersubmitted data - its danger is not just in carrying malicious SQL, but also in carrying malicious HTML/JS when it comes back out. This is why forums often use "BBcode" and reject any HTML coming from the user. If a user can get your system to store and send malicious javascript to other viewers, they can do a lot of harm that way, too. Check out the Cross-site Scripting article below for a good primer on the topic including some suggestions for preventing it.

http://en.wikipedia.org/wiki/Cross-site_scripting

Owainnorth
Owainnorth
Inspiring
March 31, 2010

Now I'm rubbish at Regex, but how about a simple one:

[^a-z]SELECT[^a-z]

Which should (untested) give you the word "select" with anything other than a letter before or after it.

A
Anonymous
March 31, 2010

tnx Owain. have tried in a test as:

<cfset myfield = " the selection is">

<cfif (ListContainsNoCase(myfield, "[^a-z]SELECT[^a-z]"))>
aaa
<cfelse>
bbb
</cfif>

and does not seem to be working. i have tried also variations on theme to no effect

D
Dan_Bracuk
Inspiring
March 31, 2010

Try it with ReFindNoCase.


Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices