Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Prevent SQL injection without using cfqueryparam

Tags:

coldfusion

sql-injection

I have old projects containing a lot of queries which are not using cfqueryparam to prevent SQL injection. Is there any way to use some function to do similar on Application level on each form field?

As a beginner with a PHP background, I thought I could loop posted data and do an escape_string() or similar. but I don't want data to be saved in escaped form. I think cfqueryparam doesn't save data in escaped form. (I haven't tried it yet. I'm new at CF.) Otherwise, I have to unescape the data back on each retrieve, which I don't want to do. I want the input to be inserted and retrieved as is.

Basically I just want it to be done at application level so I don't have to change thousands of queries one by one on each project.

Sample input

it's my book
[email protected]'; delete database --
like image 705
Abdul Rehman Avatar asked Dec 05 '22 02:12

Abdul Rehman

2 Answers

I've been at three different companies that had to do a complete project freeze and assign all devs to update calls to queries and stored procedures. Some even had to hire contractors to just do that for a couple of months. You're going to have to bite the bullet and do them manually.

You might take this opportunity to remove a bunch of redundant queries, replace them with stored procedures and move them to CFCs. This would allow you reuse queries from a single source and reduce the overall amount of work you'll have to do.

You can put a Web Application Firewall (WAF) in place to handle some requests from the outside, but they're not 100%. Depending on your clients, the code has to protect from SQL Injection without the use of a WAF.

like image 154
Adrian J. Moreno Avatar answered Jan 06 '23 01:01

Adrian J. Moreno

You might checkout FuseGuard for that. It is a ColdFusion web application firewall and one of the things that it filters for is SQL injection attacks.

You will be more secure biting the bullet and changing all of your queries to use cfqueryparam, but FuseGuard is cheaper than fixing a large application and quick to get up and running.

When my team ran into your situation (taking over an existing app with thousands of unprotected queries), we installed FuseGuard and then started tackling queries as we could get the time.

I don't have any financial connection to FuseGuard - just a happy customer.

like image 24
Steve Bryant Avatar answered Jan 06 '23 01:01

Steve Bryant
Sign in to Comment

Related questions

Make .cfm template accessible only via ajax call?
Invalid token '\n' found on line 31 at column 0
Difference between cfif not...EQ and cfif...NEQ?
How do I force a Coldfusion cfc to output numeric data over JSON as a string?
Cleansing string / input in Coldfusion 9
Which is better for UDFs: CFC vs CFM
In ColdFusion 8, can you declare a function as private using cfscript?
Future of Fusebox framework
Passing a Table Valued parameter to a stored procedure
Is there a function similar to ArrayFind from ColdFusion 9 in ColdFusion 8?
ColdFusion Conditional RecordCount
cfdump alternative to pass output as a string
Is there a CFHTMLHEAD equivalent for CFSCRIPT?
Why does Coldfusion evaluate these numbers to not be equal?
How can I always round down to the closest 10 whole number?
CFPDFForm Populate Error - java.lang.NullPointerException: Platform, Locale, and Platform Name must not be null
How to set a variable with both single and double quotes?
What does the ColdFusion framework "fusebox" do exactly?
What's the difference between Coldfusion Developer Edition and Enterprise Edition?
coldfusion string comparison

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!