SQL Injection

I find myself rather wishing that there were a horde (or maybe even a handful) of high-profile ColdFusion sites using DataFaucet for their data access layer... Why? Because in order for someone to get a SQL injection past you with DataFaucet, you have to go out of your way to let it happen.

Three things you should never ever, ever do with DataFaucet.

1. put raw user-supplied variables into the select list of a query (or the groupby or having clauses)
2. put ANY user-supplied variables into the orderby property of a select statement (use SORT, it's designed specifically for that purpose)
3. put ANY user-supplied variables into the content property of a dynamic filter (i.e. stmt.sqlFilter("column",form.x,"in"))

Never ever do those three things and you should never have to worry about ... well at least not this sql injection attack... I don't want to say never because it's theoretically possible that future versions of ColdFusion (or smarter hackers) could produce new vulnerabilities and that may even include vulnerabilities in cfqueryparam. But for today, cfqueryparam keeps you safe and using DataFaucet and not doing these three things will protect you.

I've been hearing a lot about this problem today specifically... the company I work for has a few clients with some older sites that were affected... I sent an email with a couple of links to my bosses and the other programmers today, since I was the only one who'd read about it prior to the attack and already knew where to find the info.

So for anyone else who may yet be looking for the info, here are those links:

Russ Michaels and Mark Kruger talk about protecting yourself from SQL Injection.

-- and --

Hackers talk about something other than protecting yourself from SQL Injection.

I'm even tempted to say read it quick, because I suspect they might change the url on that article once they realize that CF programmers are reading it off of Google's index.

Good luck!

p.s. I would also be leery of acunetix!