I'm running Coldfusion 8 and SQL server 2008.
I've been building serveral forms that insert data into the database from external users, we have a custom built security module built by the guy who I've taken his job.
1) How can we test our HTML forms to ensure that we're protected from SQL injection attacks?
2) How do I secure CFqueries in CFC's?
3) What are some best practices in terms of SQL & Coldfusion for security?
-- A lot I know!
-
Here's a short answer if you already know CF: http://bobby-tables.com/coldfusion.htmldavidhaskins– davidhaskins2011年07月20日 19:41:00 +00:00Commented Jul 20, 2011 at 19:41
2 Answers 2
This article from Adobe discusses most of the issues you'll need to deal with.
The best protection against SQL injection is to use a parametric query - that is, a query that is complete and can be compiled by the SQL engine but that you attach data to after the fact. I haven't used Coldfusion in many years, but it appears that it doesn't support parametric queries - the article I linked lists some solutions to the problem.
Summarizing the answers, CFQUERYPARAM is your friend. It will automatically escape all the parameters, and speed the queries up at the same time.
Explore related questions
See similar questions with these tags.