Viewing All Scopes for a Request
This little gem makes me giddy all over - and I don't get giddy easily. There was that one time at a Bette Midler concert in ‘99.... but I digress. Here's a method you may find useful during development, debugging and possibly for error handling. It's a method of the getPageContext() function that returns all scopes available to the request. That would be:
- Variables
- Form
- Cffile
- cfthread
- Request
- Server
- Http
- Cgi
- Client
- URL
- Session
- Cookie
- File
- Application
Ask-a-Muse: How Can Cfqueryparam Protect Me?
Muse Reader Asks:
If you want to allow someone to search your site by keyword, how do you protect against an SQL injection? CFqueryParam is great if testing for an integer, but what about for a string? Surely there's got to be a way to do it since all kinds of sites let you perform keyword searches. Thanks!
Whoa... slow down there. Do my ears deceive me? Did my reader just indicate that he (or she) thinks that cfqueryparam "tests" for a string? I hate to break it to you, but the purpose of Cfqueryparam is not to insure that the value passed into the tag is one thing or another. The validation that occurs is more of a by-product of binding. Sure, the tag will error out when you try to pass "abc" instead of "123" to a param of the "integer" type, but that is a result of type binding. It's simply trying to bind variables of type for the driver to use, so naturally it errors out. But pass in a decimal like 123.123 and it says "okey dokey - that will work". Testing to see what a form element contains is the job of the developer, not the job of a magic box tag.
But to answer your question more specifically, cfqueryparam will protect you from those malicious hack attempts anyway - even if the attack is passed to the database. Let's examine a working case and see if we can figure out what is happening.
Read MoreA Better Blacklist Function for SQLi
Please note - I have not changed my stance on the use of CFQUERYPARAM. The real "fix" for injection is validation routines for form inputs and binding variables using Cfqueryparam. A blacklist function (a function that checks for "known bad" input) is useful in that it provides protection on the perimeter. It can help you intercept hack attempts before they reach your DB - where presumably they would fail in any case. They are also useful for thwarting immediate threats if you discover a security flaw that might take some time to fix. The recent spate of attacks caused a proliferation of blacklist techniques from simple to complex. In my own post on the vulnerability of using string concatenated SQL I published a snippet that made use of the iSQLInject function from CF Lib. There is a better approach however.
Read MoreAdding Cfqueryparams to a Legacy Site Without Losing Your Hair
So you got hit with the latest SQLi attack eh? SQLi is the hip acronym for "sql injection" that fancy pants security people use. You've put in some stop gap measures and now you are slogging through 3000 queries trying to add cfqueryparam to everything. It's a laborious task to be sure. Here are some special tips from the muse that might help shorten it.
Read MoreMy Email Is Taunting Me
I just received the following message in my inbox with the subject of "Message Removed":
"Uh... We had a message here. We are not sure what it was. We aren't sure what happened to it either (although it was obviously not our fault). We only know it's missing - and rather than leave it out of your already crowded inbox, we just thought we would give you this friendly note as a replacement. There's nothing really you can do about it, but perhaps you can sit there wondering for 90 seconds or so..."
It's kind of like the dozens of times I've asked for a girl's number and received it, but when I called it later it was disconnected - or worse, it was the lady who gives out the time or maybe the Chinese take-away. Have you ever tried to get a date from the guy who answers the phone at the Chinese take-away? It's humiliating.
SQL Injection Part III - Don't Forget Sorting
So... you have diligently added CFQUERYPARAM to every input variable. Your database is secure and safe from SQL Injection - right? Well... maybe not. Did you remember to account for the ORDER BY Clause? Let me explain.
Read MoreCombining SQL Query Strings and CFQUERYPARAM
If you have been following the muse the last few days you will know that I've had my shoulder to the wheel helping customers and fellow developers sort through making changes to their site to protect against a particularly malicious SQL Injection attack (read about the details here). Some of the folks who have contacted me are dealing with extra problems because their code uses string concatenation to build dynamic SQL strings. So the question has been asked a few times, "How do I go about building an SQL string with CFQUERYPARAMs in it?" Unfortunately, if you have chosen this approach it's going to be difficult to help you without seriously refactoring your code. Here's a few tips that can help, and one approach that might get you most of the way there.
Read MoreSQL Injection Part II (Make Sure You Are Sitting Down)
Back in February I wrote a blog post on SQL Injection that included an example of how a malicious user might inject into a character field even though ColdFusion escapes single quote marks. The attack involved other forms of escaping single quotes - and was effective against MySQL. This week I stumbled upon (more like a train wreck) an attack that is much more sophisticated - and also involves injection into a character field. I am told that others have discovered and written on this attack over the last few weeks - but I was unaware of it until a customer of ours was victimized. Amazingly, the specific real world attack I discovered and fixed allowed the hacker to append a string to every char column in every table of the database. It was so pervasive it left me wondering if it was SQL injection at all - until I found a URL entry that looked something like this:
Read MoreSites to Watch
Aggregators
RSS
