I've been SQL injected!

[drebo]

Well, not really...it wasn't my code. But, I'd never actually seen a SQL injection before.

The culprit? A page that pulls management bios from a database and displays them.

Moral of the story? Don't embed form variables (or URL variables) directly in your SQL queries without first verifying them!

 

[JACKDRUID]

or you can use a stored procedure, which should take care of most of the sql injection attacks.

 

[Pacemaker]

or at the very least use parameterized queries instead of inline queries.

 

[drebo]

Yeah...my customer is learning that very quickly.

Anyway, as an update, it appears that this is a fairly widespread issue with ColdFusion 8 that's cropped up in the past few days. It's affected two completely disparate sites on separate servers of mine now in the last two days. Interesting. Both times were pages that were written in similar fashion (not by me) and used inline queries.

Just a warning to anyone else out there using ColdFusion...check your queries!

Edit: For anyone who's interested, here's some more info: http://www.coldfusionmuse.com/...te-Ben-Speaks-His-Mind

 

[alocurto]

I had that happen to a site I am hosting (didn't write) in CF. ha, it's a freakin mess and a half. They are like "Fix it!"... yeah... ummm 10000+ CFM pages.. I'll get right on that. Always use parameterized queries from code and always use stored procs.

 

[Snapster]

Thankfully most of the sites I've had to 'fix' have had a common include file where I can just scan through the request vars for fishy stuff. Saves me having to update loads of pages quickly/cheaply.

 

[alpha88]

You should investigate the competence of whoever is writing the code.

Cold Fusion is probably the easiest language to protect against SQL injection.

You can still do 'inline' SQL, just use <cfqueryparam /> in all your queries.

Example

<cfquery name="select">
SELECT Something FROM Users WHERE Email = <cfqueryparam value="URL.EmailAddr" cfsqltype="CF_SQL_CHAR" />
</cfquery>

 

[drebo]

From what I've read, ColdFusion automatically escapes strings within SQL queries. The vulnerability (this one, anyway) had to do with injecting into number fields.

I would still parameterize them...but just saying.

 

[AleleVanuatu]

This is such a noob mistake. Soon I hope that most languages won't even let this happen by building in sanity-checking into the relevant sql api.

 

[alocurto]

http://www.coffeeandcoding.com...jection-in-cold-fusion

 

[Crusty]

Originally posted by: AleleVanuatu
This is such a noob mistake. Soon I hope that most languages won't even let this happen by building in sanity-checking into the relevant sql api.

You won't be able to prevent this on the API level until you stop preventing people from running adhoc queries. If the API was checking every single query for sanity there would be quite a bit more overhead then what you currently see.

For example, Ruby on Rails has great built in ways to generate results from a database where you don't have to type a single line of SQL. It handles all of the escaping and prevents SQL injection, yet you can still run a full blown hand written SQL statement through code where it won't check the query and just run it which is vulnerable to SQL injection.

 

[HumblePie]

you have been

1'; DROP TABLE users; -- Drop kicked!