tags:

views:

83

answers:

6
+1  Q: 

Security measures for site search

Years ago I programmed a magazine-style site in ColdFusion. It had a site search function to full-text search (using SQL Server) the articles and blog posts. It worked fine, but then we were hit with a SQL injection attack (my fault). The site owner decided to take down the search, and only recently asked me to make it live again.

I know I needed to use CFQUERYPARAM to stop the SQL injections, and I've fixed that aspect of the code. My question is, what other things should I do to make the site search reasonably secure? I'm not talking about heroic measures, just the basic stuff that I shouldn't forget. Thanks.

A: 

Besides using params, you can check the input for strange text (html code, ' tags ect...) limit it in length (it is reasonable that search will not exceed certain amount of chars)

search the web for text sanitizing

Dani  2009-12-03 17:04:18
A: 

You can start avoiding sql injections using CFQUERYPARAM.

Another thing you should be carefull about consist in avoiding deny of services atack. I once saw an atack which was based on sending stupid queries to a site, something like "all texts which contains the a letter" and this kind of stuff.

Limiting the number of results per page consist in a good alternative to avoid this kind of problem.

Kico Lobo  2009-12-03 17:06:11
A: 

What I can think about is also check all links(accessible cffunctions, fuseactions, etc.) accessible by the search result are either secure to be public or being protected to necessary level, like:

Hotou  2009-12-03 17:34:48
+7  A: 
  • cfqueryparam
  • error handling around individual query
  • error handling for site via <cferror>
  • logic that limits the number of request that come from a specific IP in a given time
  • ensure the database user account only has access to the specific actions it should
  • logic that makes sure search request is coming from your site and not 3rd party
  • limit number of search results (use pagination)
  • limit search input length (max of 30?)
Jason  2009-12-03 18:18:02
Good list. Also, don't forget about about sanitizing input for things like <script> tags, etc... Or make sure you atleast use HTMLEDITFORMAT() when rendering the input back to the user.
Alex  2009-12-03 18:23:24
+1  A: 

Only use stored procedures for altering the data. Limit the database user account to only be able to use views (on which you can have read only permissions.) Set the datasource to only allow select and execute(procs) Always use cfqueryparam Place queries inside cfc's and always use correct argument types. Use an input sanitiser to check strings for injection.

And of course #1 backup your DB or a regular basis!

SNeiland  2009-12-06 07:12:28
A: 

You can also add a captcha, to the search, to make sure it is human driven. Then you won't wear out your server or db, trying to find answers to automated queries.

crosenblum  2009-12-22 01:56:47

related questions

Sql to query a dbs scheme
Transform Columns into Rows
SQL Client for Mac OS X that works with MS SQL Server
How do you get leading wildcard full-text searches to work in SQL Server?
SQL Server 2000: Is there a way to tell when a record was last modified?
What's the BEST way to remove the time portion of a datetime value (SQL Server)
I need to know how much disk space a table is using in SQL Server
What's the best way to determine if a temporary table exists in SQL Server?
Appropriate pagefile size for SQL Server
Have you ever encountered a query that SQL Server could not execute because it referenced too many tables?
ASP.NET MVC "CRUD" Database Sample
How do I unit test persistence?
Best Book for a new Database Developer
Can I logically reorder columns in a table?
Best way to copy a database in SQL Server 2005/8?
Is Windows Server 2008 "Server Core" appropriate for a SQL Server instance?
Why doesn't SQL Full Text Indexing return results for words containing #?
Client collation and SQL Server 2005
Editing database records by multiple users
Deploying SQL Server Databases from Test to Live
SQL Server 2005 implementation of MySQL REPLACE INTO?
Upgrading SQL Server 6.5
How do I version my MS SQL database in SVN?
How to export data from SQL Server 2005 to MySQL
Check for changes to a SQL table?