Skip to main content
W
weezerboy
Inspiring
January 19, 2015
Question

SQL injection

  • January 19, 2015
  • 2 replies
  • 349 views

I have a very large website that is constantly under attack via SQL injection.

My SQL DB is corrupted weekly.

I am in the process of doing the <cfqueryparam value throughout the site.

But in the short term is there something I can add to the application.cfm if I know part of the string that is always been injected?

For example if I know that the string "www.paydayloans.com" is trying to be maliciously passed is there some code I can add to prevent that from being used in the query?

This topic has been closed for replies.

2 replies

BKBK
Community Expert
BKBKCommunity Expert
Community Expert
January 20, 2015

Through which passage is the corrupt data coming in: URL or form?

S
Steve Sommers
Legend
January 19, 2015

You can definitely add code to detect specific data and execute alternative actions. This is overly simplified but something like this:

  <cfloop index="local.name" list="#structKeyList(url)#">

   <cfif isSimpleValue(url[local.name]) and reFindNoCase("(www\.paydayloans\.com|www\.somethingelse\.com)",url[local.name])>

    <cfthrow message="go away!" />

   </cfif>

  </cfloop>

An important note with this solution: it is very specific to known data and is not a good long-term solution to the problem. Definitely cfqueryparam'itize all your SQL queries.

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices