Comments
By Roger Strukhoff
Richard Davies wrote: The UK has a good crop of technology pioneers in cloud computing - for example ElasticHosts, FlexiScale, Flexiant, OnApp - and also some strong government initiatives such as G-Cloud. We will have to see whether this kind of technical leadership converts into swift mass-market adoption or not.
Jan. 8, 2012 11:38 AM EST
Cloud Computing
Conference & Expo
November 2-4, 2009 NYC
Register Today and SAVE !..
Did you read today's front page stories & breaking news?
SYS-CON.TV: The Missing Link in SOA Projects. Guest Gartner Analyst Roy Schulte

2008 West
DIAMOND SPONSOR:
Data Direct
SOA, WOA and Cloud Computing: The New Frontier for Data Services
PLATINUM SPONSORS:
Red Hat
The Opening of Virtualization
GOLD SPONSORS:
Appsense
User Environment Management – The Third Layer of the Desktop
Cordys
Cloud Computing for Business Agility
EMC
CMIS: A Multi-Vendor Proposal for a Service-Based Content Management Interoperability Standard
Freedom OSS
Practical SOA” Max Yankelevich
Intel
Architecting an Enterprise Service Router (ESR) – A Cost-Effective Way to Scale SOA Across the Enterprise
Sensedia
Return on Assests: Bringing Visibility to your SOA Strategy
Symantec
Managing Hybrid Endpoint Environments
VMWare
Game-Changing Technology for Enterprise Clouds and Applications
Click For 2008 West
Event Webcasts

2008 West
PLATINUM SPONSORS:
Appcelerator
Get ‘Rich’ Quick: Rapid Prototyping for RIA with ZERO Server Code
Keynote Systems
Designing for and Managing Performance in the New Frontier of Rich Internet Applications
GOLD SPONSORS:
ICEsoft
How Can AJAX Improve Homeland Security?
Isomorphic
Beyond Widgets: What a RIA Platform Should Offer
Oracle
REAs: Rich Enterprise Applications
Click For 2008 Event Webcasts
In many cases, the end of the year gives you time to step back and take stock of the last 12 months. This is when many of us take a hard look at what worked and what did not, complete performance reviews, and formulate plans for the coming year. For me, it is all of those things plus a time when I u...
MORE »
SYS-CON.TV
ColdFusion News Desk
ColdFusion Developer's Journal Special: How to Prevent an SQL Injection Attack
SQL Injection Attacks are One of the Easiest Ways to Hack Into A Website - Learn How to Prevent Them
Aug. 8, 2008 04:00 PM

SQL Injection attacks are one of the easiest ways to hack into a website. One recent hack, using a script from verynx.cn, involves injecting SQL into a web form that then appends some JavaScript code into fields in a database that then gets executed on the client side when a user views a database-driven page. To learn more about this hack, go to this link

If you're using ColdFusion, to harden your website from sql injection attacks add the following code to your Application.cfm file. If you're not using ColdFusion, you can translate this code into the language you're using and it should still work.

<!--- CREATE SQL REGULAR EXPRESSION--->
<cfset sqlregex = "
(SELECT\s[\w\*\)\(\,\s]+\sFROM\s[\w]+)|
(UPDATE\s[\w]+\sSET\s[\w\,\'\=]+)|
(INSERT\sINTO\s[\d\w]+[\s\w\d\)\(\,]*\sVALUES\s\([\d\w\'\,\)]+)|
(DELETE\sFROM\s[\d\w\'\=]+)|
(DROP\sTABLE\s[\d\w\'\=]+)">

<!--- CHECK FORM VARIABLES --->
<cfloop collection="#form#" item="formelement">
         <cfif isSimpleValue(evaluate(formelement)) AND refindnocase(sqlregex, "#evaluate(formelement)#")>
                  <cflocation url="messages.cfm?message=Invalid Input. Possible SQL Injection attack.">
                  <cfset StructClear(form)>
                  <cfabort>
         </cfif>
</cfloop>

<!--- CHECK URL VARIABLES --->
<cfloop collection="#url#" item="formelement">
         <cfif isSimpleValue(evaluate(formelement)) AND refindnocase(sqlregex, "#evaluate(formelement)#")>
                  <cflocation url="messages.cfm?message=Invalid Input. Possible SQL Injection attack.">
                  <cfset StructClear(url)>
                  <cfabort>
         </cfif>
</cfloop>

This code would reside in your Application.cfm file which gets executed every time a ColdFusion file is requested on the server. What it does is it checks all form and URL variables to see if they contain any patterns matching an SQL SELECT, UPDATE, INSERT, DELETE or DROP statement.

If a match is found, the user is redirected to a message page indicating that a possible SQL Injection attack was made and the SQL injection is prevented.


Published Aug. 8, 2008— Reads 11,431 — Feedback 6
Copyright © 2008 SYS-CON Media, Inc. — All Rights Reserved.
Syndicated stories and blog feeds, all rights reserved by the author.

In order to post a comment you need to be registered and logged in.

Register | Sign-in

Reader Feedback: Page 1 of 1

I could not make this work in CFMX8. Does anyone have any suggestions?

There’s a very nasty SQL injection attacking our sites at the moment:

DECLARE @S CHAR(4000);
SET @S=CAST(0x44…..72 AS CHAR(4000));
EXEC(@S);

You need to add DECLARE and EXEC to the regex.
I use (exec(|ute)[\s|\(]) which traps EXEC( and EXECUTE

If I change sqlregex = "select" for testing the code works fine.

The complete regular expression as listed above doesn't seem to work in CFMX8.

Dangerous Solution!

Whilst it can be useful to attempt to detect SQL injection; using detection as a defence mechanism is risky.

The only way to really be sure that no SQL injection will be possible in ColdFusion is to ensure all queries use the cfqueryparam tag around user supplied input. Additionally, all user input should be validated server side in order to ensure it matches a specific and expected data type and format.

In programming, one can always prove what is true, but not always prove what is false. Trying to protect a system by determining what user input is bad is shakey. By contrast, protecting a system by determining what user input is good is solid. Essentially, a system should only accept and process user input which adheres to an expected datatype and format. Everything else should be rejected.

Beware!

And, if I may, add TRUNCATE TABLE (or the equivalent for your DBMS)

Dont forget that DECLARE should also be in the list.


Your Feedback
littleviews wrote: I could not make this work in CFMX8. Does anyone have any suggestions?
Cliff Mosdall wrote: There’s a very nasty SQL injection attacking our sites at the moment: DECLARE @S CHAR(4000); SET @S=CAST(0x44…..72 AS CHAR(4000)); EXEC(@S); You need to add DECLARE and EXEC to the regex. I use (exec(|ute)[\s|\(]) which traps EXEC( and EXECUTE
Keith Levenson wrote: If I change sqlregex = "select" for testing the code works fine. The complete regular expression as listed above doesn't seem to work in CFMX8.
Christopher Cundill wrote: Dangerous Solution! Whilst it can be useful to attempt to detect SQL injection; using detection as a defence mechanism is risky. The only way to really be sure that no SQL injection will be possible in ColdFusion is to ensure all queries use the cfqueryparam tag around user supplied input. Additionally, all user input should be validated server side in order to ensure it matches a specific and expected data type and format. In programming, one can always prove what is true, but not always prove what is false. Trying to protect a system by determining what user input is bad is shakey. By contrast, protecting a system by determining what user input is good is solid. Essentially, a system should only accept and process user input which adheres to an expected datatype and format. Everything else should be rejected. Beware!
Peter Walters wrote: And, if I may, add TRUNCATE TABLE (or the equivalent for your DBMS)
Ernest Breau wrote: Dont forget that DECLARE should also be in the list.
SOA World Latest Stories
By Elizabeth White
Cloud is a shift from the focus on underlying technology implementation to leveraging existing implementations and further building upon them. Cloud orchestration or a network of clouds is the wave of the future where these clouds can operate with elasticity, scalability, and efficienc...
By Ravi Muthusubramanian
In Aug 2011, around 72 million people accessed social networking sites from mobile, increase of 37% from previous year (study by ComScore) and nearly 50% (of 72 million) access networking sites almost every day. Devising a cohesive strategy for addressing both mobility and social medi...
By Maureen O'Gara
Citrix has opened up a beta of its CloudStack 3, the first release of the open source cloud platform under the Citrix brand. Citrix acquired the Java-based cloud management last year when it bought Cloud.com. A full production version of the branded stuff is supposed to be available ...
By Maureen O'Gara
EMC and VMware are going into the cloud business with Atos, the big, publicly owned, Paris-based global IT services firm, intending to take an equity position in Canopy, an end-to-end cloud company Atos is setting up using EMC and VMware technology. The companies said Wednesday when ...
By Maureen O'Gara
A Munich court Thursday found Motorola Mobility guilty of infringing an Apple patent and handed Apple a permanent injunction against two Android smartphones. Apple can enforce the injunction after posting a bond lest MMI succeed in invalidating the slide-to-unlock patent (EP1964022) ...
By Maureen O'Gara
In a surprise move on Tuesday, January 10, Oracle wheeled out its Big Data Appliance. That’s the one it said in October would be ready sometime in the first half. Only nobody believed it meant early in the first half. Heck, it’s not even clear anybody thought Oracle could make the fi...
MORE »
Subscribe to the World's Most Powerful Newsletters
Subscribe to Our Rss Feeds & Get Your SYS-CON News Live!
Click to Add our RSS Feeds to the Service of Your Choice:
Google Reader or Homepage Add to My Yahoo! Subscribe with Bloglines Subscribe in NewsGator Online
myFeedster Add to My AOL Subscribe in Rojo Add 'Hugg' to Newsburst from CNET News.com Kinja Digest View Additional SYS-CON Feeds
Publish Your Article! Please send it to editorial(at)sys-con.com!

Advertise on this site! Contact advertising(at)sys-con.com! 201 802-3021

SYS-CON Featured Whitepapers
Most Read This Week
By Jeremy Geelan
By Bob Hockman
By Brian McCallion
By Steven Yaskin
By Jeremy Geelan
By Jeremy Geelan
By Udayan Banerjee
By Jeremy Hess
By Udayan Banerjee
By Maureen O'Gara
By Liz McMillan
By Hollis Tibbetts
ADS BY GOOGLE