1

I'm running Coldfusion 8 and SQL server 2008.

I've been building serveral forms that insert data into the database from external users, we have a custom built security module built by the guy who I've taken his job.

1) How can we test our HTML forms to ensure that we're protected from SQL injection attacks?

2) How do I secure CFqueries in CFC's?

3) What are some best practices in terms of SQL & Coldfusion for security?

-- A lot I know!

Tulains Córdova
39.6k13 gold badges102 silver badges157 bronze badges
asked Jul 20, 2011 at 15:50
1

2 Answers 2

1

This article from Adobe discusses most of the issues you'll need to deal with.

The best protection against SQL injection is to use a parametric query - that is, a query that is complete and can be compiled by the SQL engine but that you attach data to after the fact. I haven't used Coldfusion in many years, but it appears that it doesn't support parametric queries - the article I linked lists some solutions to the problem.

answered Jul 20, 2011 at 15:56
2

Summarizing the answers, CFQUERYPARAM is your friend. It will automatically escape all the parameters, and speed the queries up at the same time.

answered Jul 20, 2011 at 20:29

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.