Today is Operation cf_SQLprotect
Posted by
Brad Wood
Jul 25, 2008 20:45:00 UTC
Today is the day. Unless you can bet money that every cfquery in your application is completely safe from SQL inject attacks you need to stop what you are doing and scan your sites. I have reviewed two cfqueryparam scanners to find vulnerable queries and one of them will even fix 95% of your code for you! If your boss asks what you are doing, tell him you found a security vulnerability being exploited and it needs to be closed. He'll understand.After you fix your code, please contact me and tell me the number of cfqueries you fixed. I will keep an anonymous running total of the good work we have accomplished.
I'm normally not into re-hosting downloads, but riaforge seems to be down at this exact moment (1:26 CST) and I have a couple changes to one of the scanners to include .cfc files so here you go:
http://www.codersrevolution.com/index.cfm/2008/7/24/Announcing-the-first-ever-International-Operation-cfSQLprotect
- qpScanner by Peter Boughton (RiaForge)
- Query Parameterizer by Daryl Banttari
http://www.codersrevolution.com/index.cfm/2008/7/24/Announcing-the-first-ever-International-Operation-cfSQLprotect
Susan Murray
Shouldn't non-integer variables be parameterized, also? And everything should have cfsqltype defined?
Brad Wood
@Susan: I would say that ALL parameters should be paramaterized, or AT LEAST scrubbed.
For instance, wrapping val() around numberic values would not create a parameterized query, but it would at least protect you from SQL injection attacks.
As far as the cfsqltype, it is entirely up to you. That attribute has nothing to do with out the SQL executes, it simply provides an extra layer of validation on the CF side before it is sent to the SQL server. The cfqueryparam tag will throw an error if the value being passed in does not match the type specified. While handy, that is not required in order to protect from SQL injection attacks.