We're speaking at
CFUnited 2008:
CFUnited - The Premiere ColdFusion Technical Conference

Search

Calendar

<< September 2008 >>
SunMonTueWedThuFriSat
 123456
78910111213
14151617181920
21222324252627
282930        

Subscribe Enter your email address to subscribe to this blog. You'll receive an email when we write a new post.

Recent Entries No recent entries.

Recent Comments Flex: Making Scrollbars Follow Focus
Daryl Banttari said: Still works fine for me. As I tab from field to field, the scrollbar adjusts to ensure the field wi... [more]

Flex: Making Scrollbars Follow Focus
newchild said: your autoscroll class doesent scroll automaticly, even in your example. So what exactly is that for?... [more]

Reviving the Lost Craft of Writing Specification Documents
Tanya said: Thank you:) [more]

ColdFusion SQL Injection
Sam Singer said: Will this run on os x? [more]

Reviving the Lost Craft of Writing Specification Documents
Nat Papovich said: Hi Greg, yes that was intentional. It's just an example, after all :) Tanya, take a look at the Pow... [more]

Archives By Subject Business of Software (5) [RSS]
ColdFusion (321) [RSS]
Conferences (7) [RSS]
Databases (88) [RSS]
Flex & Flash (109) [RSS]
Fusebox (87) [RSS]
General Development (33) [RSS]
Google (9) [RSS]
Hardware (5) [RSS]
JVM & Java (132) [RSS]
Linux (20) [RSS]
Macintosh (1) [RSS]
Miscellaneous (254) [RSS]
Performance (8) [RSS]
SeeFusion (36) [RSS]
Shan's Simple Examples (7) [RSS]
User Interface (3) [RSS]
Windows (5) [RSS]

Archives By Poster Daryl Banttari (11)
Nat Papovich (33)
Patrick Quinn (36)
Shannon Hicks (22)
Steve Nelson (22)
Tyson Vanek (3)


bottom corner

ColdFusion SQL Injection

Posted At : July 22, 2008 7:25 AM | Posted By : Daryl Banttari
Related Categories: ColdFusion, Databases, General Development

Seems there's a lot of ColdFusion sites out there getting hit by an automated SQL Injection attack, which adds a "<script>" tag to varchar fields using a bit of SQL Server t-sql.

Many years ago, I wrote a script that would find and automatically <cfqueryparam> queries (which has been at Daryl's ColdFusion Primer. I've dug that up and updated it slightly to handle INSERT statements and not parameterize cached queries. (The latter will be highlighted in red.)

(For more information about avoiding SQL Injection in the first place, see my Paranoia 101 page at the aforementioned Primer.)

Place the script (temporarily) in your webroot and run it. It will show you all of the queries in that directory tree and give you checkboxes next to each that will allow you to choose which queries to parameterize. It will also show you what the result of parameterization will look like.

Remember-- it'll show you what it plans to do before it does anything. So you can run it once (and not click the "submit" button) simply to see what files contain unparameterized queries.

Caveats:

This will probably break some queries, especially if you do things like WHERE date > '#dateFormat(d)# #timeformat(d)#' or WHERE NAME LIKE '#searchname#%'. USE WITH CAUTION! It's best to test the changes before moving them into production. Remove the ".old" files once the site is confirmed as working well.

Download the Script

Comments (10) | Send | del.icio.us | Linking Blogs
Comments
Add Comment
Very cool! The only problem I ran into was some of my queries have a variable with the word "update" in them, and the parameterizer was making those a timestamp, eventhough the real datatype is an integer (I guess it's because of the word "date" that's part of "update")?

Anyway, other than that, this tool worked great!
# Posted By Jake Munson | 7/22/08 10:55 AM
Very cool. I blogged Peter Boughton's queryparam Scanner last night from RiaForge. I'll have to give yours a whirl too. I was wondering if it would be possible to auto-fix stuff, but I didn't think it would be possible to get the correct datatypes. I'll check out what you did.

Thanks.
# Posted By Brad Wood | 7/22/08 11:44 AM
What about changing it to also scan .cfc files?
# Posted By duncan | 7/24/08 2:19 AM
Also doesn't seem to work where a query would have a LIKE in it, e.g.
WHERE name like '#form.name#%'
# Posted By duncan | 7/24/08 3:05 AM
Duncan, I have already blogged a fix to make it scan .cfm, .cfml, and .cfc files.
http://www.codersrevolution.com/index.cfm/2008/7/2...

If you successfully implement a change to get it to properly recognize the like systax let me know. I would like to clean up the interface a little bit. I don't know if Daryl has any time to assist with this. Perhaps he will chime in and let us know.
# Posted By Brad Wood | 7/24/08 3:13 AM
I was having problems with the script doing weird things do to the logic used to find the open CFQUERY tag. On one template, I was just getting thousands of lines that read: [cfqueryparam /] (with greater than/less than in place of brackets.)

So, I changed my instances of:

findNoCase("<CFQUERY",TheFile)

to:

reFindNoCase("<CFQUERY\s",TheFile)

And that fixed all my problems.
# Posted By Dan G. Switzer, II | 7/24/08 10:14 AM
I love this app!

But, any reason it uses the default "CF_SQL_CHAR"?

I'm using MSSQL and most of my 'text' fields are nvarchar. So am I correct that I need to set it to "CF_SQL_VARCHAR"? Is there any way to change this to be the defualt value? Thanks!
# Posted By Jeremy Kay | 7/29/08 10:58 AM
I have set up the app to leave everything UNchecked. I then check ONE query to update and it will update 2 or 3 pages...
I've looked at the code and it seems that there is an error with the 'hash' part in the checkbox. It will repeat the same hash multiple times.

Has anyone else had this problem?
# Posted By Jeremy Kay | 7/29/08 12:47 PM
You are a God! Totally saved me hours. Thanks!
# Posted By John Fitzgerald | 8/4/08 4:38 AM
Will this run on os x?
# Posted By Sam Singer | 8/12/08 11:15 AM
Add Comment

bottom corner