the singularity of being and nothingness
Not Getting SQL Injected is a Good Thing
Some people on the internet are jerks. They like to write scripts that roam the interblog, trying to muck with people's sites for their own gain. A common tactic is SQL injection, and it can suck out loud if you get hit with it.
Over the last week and a half, I've been attacked 5 times by the same malicious code which tries to use SQL injection to modify my database.
Wait, what is SQL injection? Basically, it's when someone takes an "in" to a query you're already running and adds their own SQL into it that executes an additional SQL command on your database. So for example, let's say you have a query that runs based off of a URL parameter, like this: http://css-imagine.com/gallery.cfm?siteID=12. In this method, my page looks to see if the URL parameter "siteID" exists, and if it does, it runs a query that looks for and retrieves information that equals the value of the argument "siteID" (here, it's '12').
What SQL injection would try to do with this, then, is to add some additional SQL to the end of my query string, hoping to find a hole to exploit and execute its own commands.
So how do you avoid this? Well, you have to lock down the arguments your query will allow. So going back to my example, the query that I run for retrieving a site allows the "siteID" argument, but will only execute the query IF the argument is strictly numeric. Therefore, if someone tries to append SQL to the end of my query string (something like "?siteID=12;DECLARE(blah blah blah)"), the query will not run. If I did not specify the argument type allowed, however, SQL may accept ANYTHING and the intruding SQL statement would have the run of my database.
Here, I have to sing the praises of ColdFusion. For queries, CF provides a "cfqueryparam" tag which allows you to not only specify exactly what types of arguments to accept, but also the length of arguments (plus a bunch of other stuff I've never used…).
Now obviously, there are times when you'll have to accept a "varchar" argument in a query, and in this instance you'll have to do more to sanitize the arguments that are coming into the query. Nonetheless, it is a good start and should help to weed out a lot of SQL injection attempts.
Print article | This entry was posted by existdissolve on July 28, 2008 at 1:11 am, and is filed under ColdFusion. Follow any responses to this post through RSS 2.0. You can leave a response or trackback from your own site. |