• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 401
  • Last Modified:

CFIF Condition in Coldfuion

Hi,

To Protect Sql injection in CF iam filtering the sqltags in cfif and placing them on application.cfm file.
like <cfif query_string contains "DROP"  .....>
<cfmail> </cfmail>
<cfabort>
</cfif>
and my problem is i have a pass a email in the querystring i.e.., drop@xxxx.com.. how can i do it  because when i write it in cfelseif to pass  initailly cfif condition is passed for DROP and it is aborting and when i write in cfif the other sql filter combinations are not working with that email . Any help would be kindly appreciated.
0
shariff_pasha
Asked:
shariff_pasha
  • 3
  • 3
1 Solution
 
_agx_Commented:
Rather than reinventing the wheel, have you had a look at riaforge.org?

http://portcullis.riaforge.org/
Portcullis is a CFC based url,form,cookie filter to help protect against SQL Injection and XSS (Cross Site Scripting) attacks. This CFC can help filter input, strip tags and escape HTML based on internal settings. It can also log attacks and temporarily block future attempts based on a set time limit. Portcullis can be installed into any ColdFusion application as a simple shared scoped singleton.
....
0
 
shariff_pashaAuthor Commented:
yah i have seen that CFC and its good i will implement that and for general info can you tell how to accomplish the above task..
0
 
_agx_Commented:
Honestly, it's VERY tricky.  You could come up with something that would work in that case _only_, but chances are it's break tomorrow. As there's a million more cases it won't handle.  I'm NOT an expert on filtering :)  That's why I suggested a pre-built cfc.  Rather recommending you implement something yourself (that probably won't work), take a look inside one of the pre-built cfc's and see how _they_ do it :).  Because the home grown stuff doesn't just doesn't work here.

There's all kinds of ways to inject a keyword like DROP into a query string. Here's one most people wouldn't catch:  http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html

Good Luck!
0
Cloud Class® Course: SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

 
_agx_Commented:
BTW:  I won't recommend something I know is a bad idea or will cause problems. However, since I didn't answer the question for you, I won't be offended if you choose to wait for other responses or even prefer delete this question and try again.  No hard feelings.
0
 
Gurpreet Singh RandhawaWeb DeveloperCommented:
Well agx is right if u still wanna ur own solution here it is:

works for me instead:

<cftry>
    <CFSET SQL_Words="[ ;](insert +into.+values|drop +table|create +table)">
    <CFLOOP COLLECTION="#url#" ITEM="var">
      <CFIF IsSimpleValue(Evaluate(var)) AND REFindNoCase(SQL_Words, Evaluate(var)) NEQ 0>
        <CFTHROW TYPE="SQLAttack" MESSAGE="Invalid URL value passed.">
      </CFIF>
    </CFLOOP>
    <CFLOOP COLLECTION="#form#" ITEM="var">
      <CFIF IsSimpleValue(Evaluate(var)) AND REFindNoCase(SQL_Words, Evaluate(var)) NEQ 0>
        <CFTHROW TYPE="SQLAttack" MESSAGE="Invalid Form value passed.">
      </CFIF>
    </CFLOOP>
    <cfcatch type="any">
      <div align="center">
        <h3><cfoutput>#cfcatch.Detail#</cfoutput></h3>
      </div>
      <cfabort>
    </cfcatch>
  </cftry>
0
 
Gurpreet Singh RandhawaWeb DeveloperCommented:
use this in Application.cfc OnRequestStart method
0
 
Gurpreet Singh RandhawaWeb DeveloperCommented:
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Microsoft Exchange Server

The MCTS: Microsoft Exchange Server 2010 certification validates your skills in supporting the maintenance and administration of the Exchange servers in an enterprise environment. Learn everything you need to know with this course.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now