Check out this article by Ben Forta about SQL Injection Attacks. Yikes! It's scary to think that someone could simply put a few extra lines into a url and totally ruin a database. Thank goodness for cfQueryParam (not to be confused with cfParam!)
So today I spent some time searching through query after query making sure that any of them with user input was filtered with cfQueryParam. Kind of mind-numbing, but alas, very necessary. The only snags that I hit had to do with using LIKE statements or functions in queries with cfQueryParam. Here is what I learned.
Example of how to use LIKE with cfQueryParam (for my oral surgeon):
SELECT toothThe trick here is that instead of putting the wildcard indicators (%) on the outside of the cfqueryparam tag, you have to include them in the value attribute. In fact, Coldfusion throws an error if you try to put anything outside the cfqueryparam tag.
FROM mouth
WHERE tooth LIKE <cfqueryparam value="%#form.wisdomTooth#%" cfsqltype="CF_SQL_VARCHAR">
The following is a great illustration of what will NOT work (for zombies with discerning taste):
SELECT brainsYou would need to put the tasteTest function INSIDE the cfqueryparam value attribute, like so: <cfqueryparam value="#tasteTest(url.taste)#" cfsqltype="CF_SQL_INTEGER">
FROM people
WHERE tasteRating = tasteTest(<cfqueryparam value="#url.victimSkin#" cfsqltype="CF_SQL_INTEGER">)
This brings me to another cute piece of information that I found today. There is bug in Coldfusion MX 6.1 regarding the use of functions inside cfqueryparam tags. If you are too good for MX 6.1 and only use "new" versions of Coldfusion, then this won't apply to you, Mr. Fancypants. For the rest of us: Coldfusion MX 6.1 Hot Fix for cfQuery / cfQueryParam
p.s. Although the cfsqltype is NOT a required attribute, someone somewhere said that it improves performance, which makes sense to me--so what the hell, why not use it? Apparently it is hard to come by a chart of cfsqltypes and their associated SQL data types (it was not included in the Coldfusion MX 6.1 LiveDocs.)
So here is the link to the Adobe LiveDocs page that DOES include a chart: Coldfusion MX 7 cfQueryParam (with data type chart!)
5 comments:
Don't forget folks, form variables arn't the only kind of potentially-evil user input! Variables passed by URLs and COOKIEs could be just as malicious as FORM variables.
Also note: Don't use SELECT * with cfQueryParam! It will cause unusual errors when you add columns to the tables being queried. See this blog for details: http://www.1pixelout.net/2004/06/16/cfqueryparam
Sorry if you manually searched your code, but there's a QueryParam Scanner that will automate this for you:
http://qpscanner.riaforge.org/
QueryParamScanner (on RIAForge) makes this a bit less painful...
Thanks for the heads up. I am sure you have managed to alert everyone with this information you have shared. I also appreciate your effort in researching more about it.
Post a Comment