Question
SQL Injection is rampant this week
Setting of the stage:
I am using cf error reporting to send me an email whenever there is an exception error on my site.
I am using cfqueryparam to make sure SQL injection is not getting through
Trouble: using cfqueryparam to catch the attack causes an exception error whenever there is an attempted attack. So this morning I received 211 emails from the site (and they are still coming in) telling me "
Invalid data 4;DECLARE @S CHAR(4000);SET ...for CFSQLTYPE CF_SQL_INTEGER.
So is there a way to catch this error and simply abort and not send me the email? Maybe put a test in the error exception page that checks for ";declare, ;select ;delete; insert, etc..." Or maybe put a check in the application file to check the url variables for the same?
I am looking for ideas from others - I am SICK of my inbox getting jam packed with sql injection messages.
thnaks all!
Chris
I am using cf error reporting to send me an email whenever there is an exception error on my site.
I am using cfqueryparam to make sure SQL injection is not getting through
Trouble: using cfqueryparam to catch the attack causes an exception error whenever there is an attempted attack. So this morning I received 211 emails from the site (and they are still coming in) telling me "
Invalid data 4;DECLARE @S CHAR(4000);SET ...for CFSQLTYPE CF_SQL_INTEGER.
So is there a way to catch this error and simply abort and not send me the email? Maybe put a test in the error exception page that checks for ";declare, ;select ;delete; insert, etc..." Or maybe put a check in the application file to check the url variables for the same?
I am looking for ideas from others - I am SICK of my inbox getting jam packed with sql injection messages.
thnaks all!
Chris
AdChoices