Devnet Article on Securing CF From SQL Injection
I was just reading through this article on Adobe Devnet titled Secure your ColdFusion application against SQL injection attacks, and I have a few issues with the article.
On Page 5 the article says:
Additionally when you use the following code it ensures that the value contains only letters and numbers:
<cfqueryparam value="#strDescription#" CFSQLType="VARCHAR">
That is incorrect. Using
cfsqltype="varchar" does NOT ensure the value contains only letters and numbers. It will certainly protect you from SQL Injection, but not from Cross Site Scripting Injection (because it allows characters such as < >, etc) as that statement may lead you to believe.
Next the author totally ripped off my script for adding simple SQL Injection detection to scriptprotect, that I blogged in 2005, no attribution. Not that I really want attribution for that method anyways, as doesn't protect from very many SQL Injection attack vectors. The blog entry was posted more as a look what you can do, rather than this is what you should do.
Another issue I have with the article is that it doesn't address that variables other than
FORM variables need to be protected. You can have SQL Injection in cookies, CGI variables, HTTP headers, etc. Anything that is sent in the HTTP request needs to be protected.
I hope Adobe will edit the article, as it can be very dangerous to have incorrect information about security coming from a source that many people trust.
- Mastering CFQUERYPARAM - July 24, 2008
- Announcing Web Application Firewall for ColdFusion - July 9, 2007
- Detecting SQL Injection with ScriptProtect - May 18, 2005
- CFSummit 2016 Slides - October 17, 2016
- Scope Injection in CFML - March 3, 2015
- Updating Java on ColdFusion or Lucee
- ColdFusion returning empty response with server-error: true
- Careful applying CF11u16, CF2016u8, CF2018u2
- Sessions don't work in Chrome but do in IE
- csrfVerifyToken does not invalidate the token
- The cf_sql_ is optional in cfqueryparam
- Cookie Expires / Max-Age 1969-12-31T23:59:59.000Z
- Burst Throttling on AWS API Gateway Explained