2

I'm wondering if the # symbol is enough.

This is a part of the sql command that I'm using

WHERE login='#FORM.login#' AND password COLLATE Latin1_General_CS_AS = '#FORM.password#'

I'm trying to test it with user names such as ' OR 1=1 and variants of it, but even though it's not working I don't want to have a false sense of security.

I've read that using <cfqueryparam> can prevent this form of attack, are there any other ways?

Improve this question
12
  • 7
    Do not store passwords in plain text. You should hash your passwords using a secure salted hash (not MD5) Commented Aug 25, 2011 at 17:20
  • I agree, but it's not my database... Commented Aug 25, 2011 at 17:39
  • 3
    @Daniel: Nobody says the database structure must be changed, you can store a hash or a cleartext password in a VARCHAR, to the DB that's all the same. But storing a hash is smarter and much more secure (or, put differently: storing cleartext passwords is incredibly dumb and dangerous). How long is the password field? Commented Aug 25, 2011 at 17:47
  • 3
    .. And not to sound unsympathetic, but developers still share responsibility for the security of information they handle whether it is their database or not. Commented Aug 25, 2011 at 17:53
  • I'm just writing a proposal for rewriting this application, while I might have to reword it, 'storing cleartext passwords is incredibly dumb and dangerous' is good fodder :) Commented Aug 25, 2011 at 17:59

2 Answers 2

Reset to default
11

The way to go is <cfqueryparam>. It's simple, straight-forward, datatype-safe, can handle lists (for use with IN (...)) and can handle conditional NULLs. Plus you get a benefit out of it in loops - the query text itself is sent to the server only once, with each further loop iteration only parameter values are transferred.

You can use '#var#' and be relatively safe. In the context of a <cfquery> tag ColdFusion will expand the value of var with single quotes escaped, so there is some kind of automatic defense against SQL injection. But beware: This will — by design — not happen with function return values: For example, in '#Trim(var)#' single quotes won't be escaped. This is easily overlooked and therefore dangerous.

Also, it has a disadvantage when run in a loop: Since variable interpolation happens before the SQL is sent to the server, ColdFusion will generate a new query text with every iteration of a loop. This means more bytes over the wire and no query plan caching on the server, as every query text is different.

In short: Use <cfqueryparam> wherever you can:

WHERE
  login        = <cfqueryparam value="#FORM.login#" cfsqltype="CF_SQL_VARCHAR">
  AND password = <cfqueryparam value='#Hash(FORM.password, "SHA-512")#' cfsqltype="CF_SQL_VARCHAR">

Instead of a simple Hash(), you should indeed use a salted hash, as @SLaks pointed out in his comment.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

+1 For the tip about functions. Learn something new every day.
-1

An even better way to go would be to use stored procedures for everything.

Improve this answer

2 Comments

Stored Procedures have their uses, but not for everything. Queries and Stored Procedures should be used appropriately.
when building a coldfusion application, raw SQL literally has no place. it executes more slowly than stored procs and is open to injection if you use params without protection.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.