Skip to main content
A
annamjmi
Participant
March 17, 2010
Question

SQL Injection - cfqueryparam and other techniques to stop abuse?

  • March 17, 2010
  • 3 replies
  • 1024 views

We have been having a lot of issues with SQL injection lately and so we are trying various methods to secure the data better.

First off we have been utlizing cfqueryparam on the queries that are being hit. I am also optimizing the data tables so that more maxlengths are in place.

What else can be done to improve security? I have looked up everything and anything on the internet and keep seeing the cfqueryparam.

Does changing the variables or table names make any difference? We are trying that, but I want to make sure it is not a waste of our time.

Thanks for any other suggestions.

This topic has been closed for replies.

3 replies

J
Jochem van Dieten
Inspiring
March 20, 2010

cfqueryparam is by far the most important precaution. Make sure you use it everywhere, not just in the WHERE but also in the VALUES of an insert or the SET of an update.

Afer that the most important thing to do is database permissions. Make sure your application runs with the least privileges possible. If your application doesn't use stored procedures, remove their permissions. Make sure the account that is used from CF only has SELECT, INSERT, UPDATE and DELETE privileges, and can't CREATE or DROP. If you have a site with a dedicated admin area, try setting up two datasources using different accounts. A read-only account for the public website, a read-write account for the admin area. Etc.

D
Dan_Bracuk
Inspiring
March 20, 2010

I disagree.

First, relying on cfqueyparam for security issues means that you might have disregarded one of those "best practices" - validate user input before you use it.

Regarding database permissions, I agree with your general idea.  Regarding details, I think they depend on the situation.

davidsimms
davidsimms
Inspiring
March 19, 2010

While you're at it...

http://www.owasp.org/index.php/Main_Page

J
Joshua_Cyr
Participating Frequently
March 17, 2010

CFqueryparam is a good fist step, though you should note that it will not protect some queries.  For example if you have a sort by or order by that is dynamic, cfqueryparam wont help in that case.  You will need to review data and validate for that.

You should also be checking for XSS vulnarabilities.

http://www.12robots.com/index.cfm/2008/8/4/Persistent-XSS-Attacks-and-countermeausures-in-ColdFusion

The blog above has a great number of CF sercurity related posts.

Pete Freitag has a nice security scanner that will look at your CF server and highlight any missing patches and some other issues

http://www.petefreitag.com/item/721.cfm

There are some open source projects that will also filter out common sql injection and xss attacks on a code level.

http://portcullis.riaforge.org/

Finally there are several conferences in the CF world coming up, and all surely have some security sessions.  You may want to attend.

A
annamjmiAuthor
Participant
March 18, 2010

Thanks for the information. What about changing table names and variables? Is that helpful or we wasting our time?

ilssac
ilssac
Inspiring
March 18, 2010

I would say mostly a waste of time.

As far as I know, most SQL injection attacks are about getting the database to work against itself.  So the attacker needs little or no knowledge of the database schema.

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices