1

I'm running Coldfusion 8 and SQL server 2008.

I've been building serveral forms that insert data into the database from external users, we have a custom built security module built by the guy who I've taken his job.

1) How can we test our HTML forms to ensure that we're protected from SQL injection attacks?

2) How do I secure CFqueries in CFC's?

3) What are some best practices in terms of SQL & Coldfusion for security?

-- A lot I know!

Tulains Córdova
  • 39,201
  • 12
  • 97
  • 154
Snow_Mac
  • 349
  • 1
  • 3
  • 9
  • Here's a short answer if you already know CF: [http://bobby-tables.com/coldfusion.html](http://bobby-tables.com/coldfusion.html) – davidhaskins Jul 20 '11 at 19:41

2 Answers2

2

Summarizing the answers, CFQUERYPARAM is your friend. It will automatically escape all the parameters, and speed the queries up at the same time.

Brian Hoover
  • 490
  • 3
  • 9
1

This article from Adobe discusses most of the issues you'll need to deal with.

The best protection against SQL injection is to use a parametric query - that is, a query that is complete and can be compiled by the SQL engine but that you attach data to after the fact. I haven't used Coldfusion in many years, but it appears that it doesn't support parametric queries - the article I linked lists some solutions to the problem.

greyfade
  • 11,103
  • 2
  • 40
  • 43