March 19th, 2013, 02:34 PM
How to prevent SQL Injection
How would I prevent SQL injection in the link below?
Would I just makes sure there are cfparams on this page for client.user and client.usertype?
March 19th, 2013, 04:26 PM
Always use cfqueryparam (bind variables) in your queries, which has many benefits. One of which is preventing SQL injection attacks.
March 19th, 2013, 05:28 PM
The use of cfqueryparam definitely is a must, however in this case I'm not using the variable and passing it to a db query.
I log into the site and it sets 'client.user' to the username I'm logged in as. From the site I can then access a chat room and it passes my username into the chatroom so that username is displayed.
This is the link URL:
A scan was ran a one of the results was this: The username parameter appears to be vulnerable to SQL injection attacks. The payloads (select%201) and (select%201%2c2) were each submitted in the username parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
So in the URL of the browser could someone replace the username that is passed with a possible SQL Injection attempt even tho the variable isn't being passed to a SQL Query, or would this be considered a false positive?
March 19th, 2013, 05:40 PM
Are you storing client variables in a database? If not, then no, I don't see how there can be a SQL injection attack if the data is never used while accessing a database.
If still want to add logic to eliminate suspicious data, you can use something like this simple function to test whether the value contains likely SQL injection code: http://www.cflib.org/udf/IsSQLInject
March 20th, 2013, 07:42 AM
What about in the case of cross site scripting attacks?
I've read where you can add scriptprotect="all" in the application file. I've done this but I'm not seeing any change. Also I've read I should wrap htmleditformat around variables.
The following attack I'm not to sure about. A user can take the URL and modify it to what is below.
Actual URL: index.cfm?action=act_do_login&room=1
CF throws an error 'Could not find the included template
however, the alert still works.
act_do_login29fb9<img src=a onerror=alert(1)>f2f8569f2c8.cfm.'
What is the best way to remedy these types of situations?
March 20th, 2013, 08:11 AM
Yes, you can turn on scriptprotect, or add your own logic to inspect the form and URL scopes to remove XSS code.
Also, if you are just taking form or URL variables and using them in cfincludes without any validation, you have much bigger problems than XSS. A hacker can basically invoke any template on your server.