4

I have old projects containing a lot of queries which are not using cfqueryparam to prevent SQL injection. Is there any way to use some function to do similar on Application level on each form field?

As a beginner with a PHP background, I thought I could loop posted data and do an escape_string() or similar. but I don't want data to be saved in escaped form. I think cfqueryparam doesn't save data in escaped form. (I haven't tried it yet. I'm new at CF.) Otherwise, I have to unescape the data back on each retrieve, which I don't want to do. I want the input to be inserted and retrieved as is.

Basically I just want it to be done at application level so I don't have to change thousands of queries one by one on each project.

Sample input

it's my book
user@gmail.com'; delete database --
Fish Below the Ice
  • 1,273
  • 13
  • 23
Abdul Rehman
  • 1,662
  • 3
  • 22
  • 36
  • 1
    You could check for the existance of form.fieldlist. If it's there, you could loop through it and do something with each submitted field. The tough part would be to think of something useful to do. – Dan Bracuk Aug 04 '15 at 17:09
  • 2
    Modern versions of CF automatically escape embedded quotes within variables. However, like escape_string(), [it is not fool proof](http://stackoverflow.com/a/18797042/104223). The best way to protect against that form of sql injection is by using bind variables ie cfqueryparam. – Leigh Aug 04 '15 at 17:34
  • 2
    I'll firstly echo what others have said: bite the bullet and get remove your data values from your SQL statements, and parameterise them. This is not the sort of risk you want to take short cuts with. The onlyr eal foolproof way of disallowing SQLi is to be in control of your SQL statements, which you are currently not. you don't say whether your on salary or hourly/daily rates, or any time constraints, so if there aren't any of those, just do they work. If nothing else it'll get your eyeballs on all the code, and improve your understanding of the applications. – Adam Cameron Aug 04 '15 at 17:38

2 Answers2

12

I've been at three different companies that had to do a complete project freeze and assign all devs to update calls to queries and stored procedures. Some even had to hire contractors to just do that for a couple of months. You're going to have to bite the bullet and do them manually.

You might take this opportunity to remove a bunch of redundant queries, replace them with stored procedures and move them to CFCs. This would allow you reuse queries from a single source and reduce the overall amount of work you'll have to do.

You can put a Web Application Firewall (WAF) in place to handle some requests from the outside, but they're not 100%. Depending on your clients, the code has to protect from SQL Injection without the use of a WAF.

Adrian J. Moreno
  • 14,350
  • 1
  • 37
  • 44
  • 7
    *You're going to have to bite the bullet* .. and you might look into tools like [QueryParamScanner](http://qpscanner.riaforge.org/) to help with the task. – Leigh Aug 04 '15 at 17:27
  • 1
    @Leigh This is an awesome recourse. i didn't knew about it. Thank – Abdul Rehman Aug 05 '15 at 09:21
4

You might checkout FuseGuard for that. It is a ColdFusion web application firewall and one of the things that it filters for is SQL injection attacks.

You will be more secure biting the bullet and changing all of your queries to use cfqueryparam, but FuseGuard is cheaper than fixing a large application and quick to get up and running.

When my team ran into your situation (taking over an existing app with thousands of unprotected queries), we installed FuseGuard and then started tackling queries as we could get the time.

I don't have any financial connection to FuseGuard - just a happy customer.

Steve Bryant
  • 1,046
  • 5
  • 7