Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I am trying to improve my application’s security. Whenever I receive data from the user (whether through POST or GET) that is supposed to be an integer, I validate that appropriately. But often the data is VARCHAR, and sometimes can contain HTML.
How do I protect my DB from SQL injection in that case?
Does <cfqueryparam value="#form.textInput#" cfsqltype="cf_sql_varchar"> protect the query from sending a malicious SQL statement inside a VARCHAR value?
The short answer to your question is ‘yes’.
I block hacking attempts using three methods.
I use cfqueryparam in all my database queries. I will use cfparam at the top of the template/cfm files for url scope variables.
I have used Portcullis or variants of it. You can get it from http://portcullis.riaforge.org/. Portcullis will also defend against some cross site scripting attacks.
I use Windows IIS 7.5 (Windows Server 2008 R2). I use the URL Rewrite feature to block the bulk of URL based attacks. You can do similar things with Apache and the rewrite that it supports. Here are my IIS URL Rewrite rules:
These rules are added to the C:\Windows\System32\inetsrv\config\applicationHost.config file for IIS. However I do ****NOT**** recommend that you directly edit this file. One mistake and IIS will not load. Instead copy & paste the rules above and save them as “iis-global-rewrite.xml”. Then run the following batch file to add the rules to your IIS server:
The IIS rewrite rules should work with IIS 7.0 (Windows Server 2008) but I have not tested it.
These rules could also be applied to a single site using the web.config file if you do not have access to the server.
Why do I use three different methods for protection? Because none of them cover all the bases. The IIS rewrite rules only protect against URL based attacks. Hackers can also use form submission attacks that do the same thing. I prefer the IIS rules as a first line of protection because it will work with all sites on the server including PHP, ASP, etc. Portcullis is a good second line of defense for ColdFusion because it will catch form based attacks and some cross site scripting attacks. The last line of defense is the cfqueryparam/cfparam code which protects against URL/form based SQL injection attacks.
If all three of these methods are used the server/site should be very secure. I would still advise reviewing server logs from time to time as attacks do evolve and improve.