Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Prevent SQL injection without using cfqueryparam

I have old projects containing a lot of queries which are not using cfqueryparam to prevent SQL injection. Is there any way to use some function to do similar on Application level on each form field?

As a beginner with a PHP background, I thought I could loop posted data and do an escape_string() or similar. but I don't want data to be saved in escaped form. I think cfqueryparam doesn't save data in escaped form. (I haven't tried it yet. I'm new at CF.) Otherwise, I have to unescape the data back on each retrieve, which I don't want to do. I want the input to be inserted and retrieved as is.

Basically I just want it to be done at application level so I don't have to change thousands of queries one by one on each project.

Sample input

it's my book
[email protected]'; delete database --
like image 705
Abdul Rehman Avatar asked Dec 05 '22 02:12

Abdul Rehman


2 Answers

I've been at three different companies that had to do a complete project freeze and assign all devs to update calls to queries and stored procedures. Some even had to hire contractors to just do that for a couple of months. You're going to have to bite the bullet and do them manually.

You might take this opportunity to remove a bunch of redundant queries, replace them with stored procedures and move them to CFCs. This would allow you reuse queries from a single source and reduce the overall amount of work you'll have to do.

You can put a Web Application Firewall (WAF) in place to handle some requests from the outside, but they're not 100%. Depending on your clients, the code has to protect from SQL Injection without the use of a WAF.

like image 154
Adrian J. Moreno Avatar answered Jan 06 '23 01:01

Adrian J. Moreno


You might checkout FuseGuard for that. It is a ColdFusion web application firewall and one of the things that it filters for is SQL injection attacks.

You will be more secure biting the bullet and changing all of your queries to use cfqueryparam, but FuseGuard is cheaper than fixing a large application and quick to get up and running.

When my team ran into your situation (taking over an existing app with thousands of unprotected queries), we installed FuseGuard and then started tackling queries as we could get the time.

I don't have any financial connection to FuseGuard - just a happy customer.

like image 24
Steve Bryant Avatar answered Jan 06 '23 01:01

Steve Bryant