Geek Answers Handbook

Deny SQL injection without using cfqueryparam

I have old projects containing many queries that do not use cfqueryparam to prevent SQL injection. Is there a way to use some function to perform similar actions at the application level in each form field?

As a newbie with a PHP background, I thought I could write data in a loop and do escape_string() or the like. but I don’t want the data stored in a hidden form. I think cfqueryparam does not store data in a hidden form. (I have not tried it yet. I am new to CF.) Otherwise, I have to cancel the data on each retrieval, which I do not want to do. I want the input to be inserted and retrieved as is.

Basically, I just want this to be done at the application level, so I don’t need to change thousands of requests each time for each project.

Input example

 it my book user@gmail.com '; delete database --
+4
source share
2 answers

I was at three different companies that were supposed to completely freeze the project and appoint all the developers to update query requests and stored procedures. Some even had to hire contractors to do this for a couple of months. You will have to bite the bullet and make it manually.

You can take this opportunity to remove a bunch of redundant requests, replace them with stored procedures, and transfer them to CFCs. This will allow you to reuse queries from a single source and reduce the total amount of work that you will have to do.

You can put the web application firewall (WAF) in place to handle some requests from the outside, but they are not 100%. Depending on your clients, the code should protect against SQL Injection without using WAF.

+12
source

You can check out FuseGuard for this. This is the ColdFusion web application firewall, and one of the factors for which it filters is SQL injection attacks.

You will be safer to bite a bullet and change all your requests to use cfqueryparam, but FuseGuard is cheaper than fixing a large application and getting up and running quickly.

When my team ran into your situation (taking on an existing application with thousands of insecure requests), we installed FuseGuard and then started to resolve the requests, as we could get the time.

I have no financial connection with FuseGuard - just a happy customer.

+4
source

More articles:


All Articles