tags:

views:

182

answers:

4
+6  Q: 

How do I prevent SQL injection with ColdFusion

How do I prevent SQL injection when it comes to ColdFusion? I'm quite new to the language/framework.

Here is my example query.

<cfquery name="rsRecord" datasource="DataSource">
    SELECT * FROM Table
    WHERE id = #url.id#
</cfquery>

I see passing in url.id as a risk.

+13  A: 

Use a <cfqueryparam> tag for your id:
http://www.adobe.com/livedocs/coldfusion/6.1/htmldocs/tags-b20.htm

<cfquery name="rsRecord" datasource="DataSource">
    SELECT * FROM Table
    WHERE id = 
     <cfqueryparam value = "#url.id#"
        CFSQLType = "CF_SQL_INTEGER">
</cfquery>
Joel Coehoorn  2010-04-07 13:23:14
@Joel Coehoorn - can you provide an example? Thanks!
Daniel A. White  2010-04-07 13:28:42
+3  A: 
  • use a parameterized stored procedure
  • cfqueryparam
  • error handling around individual query
  • error handling for site via <cferror>
  • logic that limits the number of request that come from a specific IP in a given time
  • ensure the database user account only has access to the specific actions it should
Jason  2010-04-07 13:35:38
A: 

Another option is to use stored procedures (if you database supports them).

http://livedocs.adobe.com/coldfusion/8/htmldocs/help.html?content=Tags_r-s_22.html

 2010-04-20 17:05:40
A: 

Using cfqueryparam is for preventing SQL injection is good. But, you can't use cachewithin in cfquery tag if you want to use cfqueryparam. My another advice is do just like that

Put this condition at the top of your page.

<CFIF IsDefined("id") AND NOT IsNumeric(id)> <cfabort showerror="Invalid Query String"> </CFIF>

In your query tag, use just like this:

WHERE ID = #Val(id)#

See also, how to prevent: http://ppshein.wordpress.com/2008/08/28/block-ip-in-coldfusion/

ppshein  2010-05-21 03:11:42
Better to implement caching manually than try to implement database protection manually.
Peter Boughton  2010-05-21 09:16:55
probably better to use cfparam to enforce the typing at least, but I agree, it's almost always better to screw up caching than screw up security
Grey  2010-05-21 13:16:29

related questions

Backup SQL Schema Only?
Sql to query a dbs scheme
Timer-based event triggers
Sql query, count and group by
Paging SQL Server 2005 Results
SQL 2005 For XML Explicit - Need help formatting
How do I use T-SQL Group By
What all do I need to escape when sending a (My)SQL query?
Split String in SQL
Datatable vs Dataset
ASP.NET MVC "CRUD" Database Sample
Convert HashBytes to VarChar
Best Book for a new Database Developer
What is the best way to avoid SQL injection attacks?
What language do you use for Postgresql triggers and stored procedures?
What is the best way to handle multiple permission types?
How do I index a database field
Swap unique indexed column values in database.
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
Is there a version control system for database structure changes?
How to export data from SQL Server 2005 to MySQL
ASP.NET Site Maps
Decoding T-SQL CAST in C#/VB.net
Flat File Databases in PHP