I have old projects containing a lot of queries which are not using cfqueryparam
to prevent SQL injection. Is there any way to use some function to do similar on Application level on each form field?
As a beginner with a PHP background, I thought I could loop posted data and do an escape_string()
or similar. but I don't want data to be saved in escaped form. I think cfqueryparam
doesn't save data in escaped form. (I haven't tried it yet. I'm new at CF.) Otherwise, I have to unescape the data back on each retrieve, which I don't want to do. I want the input to be inserted and retrieved as is.
Basically I just want it to be done at application level so I don't have to change thousands of queries one by one on each project.
Sample input
it's my book
[email protected]'; delete database --
I've been at three different companies that had to do a complete project freeze and assign all devs to update calls to queries and stored procedures. Some even had to hire contractors to just do that for a couple of months. You're going to have to bite the bullet and do them manually.
You might take this opportunity to remove a bunch of redundant queries, replace them with stored procedures and move them to CFCs. This would allow you reuse queries from a single source and reduce the overall amount of work you'll have to do.
You can put a Web Application Firewall (WAF) in place to handle some requests from the outside, but they're not 100%. Depending on your clients, the code has to protect from SQL Injection without the use of a WAF.
You might checkout FuseGuard for that. It is a ColdFusion web application firewall and one of the things that it filters for is SQL injection attacks.
You will be more secure biting the bullet and changing all of your queries to use cfqueryparam, but FuseGuard is cheaper than fixing a large application and quick to get up and running.
When my team ran into your situation (taking over an existing app with thousands of unprotected queries), we installed FuseGuard and then started tackling queries as we could get the time.
I don't have any financial connection to FuseGuard - just a happy customer.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With