CFIF Condition in Coldfuion

Hi,

To Protect Sql injection in CF iam filtering the sqltags in cfif and placing them on application.cfm file.
like <cfif query_string contains "DROP"  .....>
<cfmail> </cfmail>
<cfabort>
</cfif>
and my problem is i have a pass a email in the querystring i.e.., drop@xxxx.com.. how can i do it  because when i write it in cfelseif to pass  initailly cfif condition is passed for DROP and it is aborting and when i write in cfif the other sql filter combinations are not working with that email . Any help would be kindly appreciated.
LVL 2
shariff_pashaAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

_agx_Commented:
Rather than reinventing the wheel, have you had a look at riaforge.org?

http://portcullis.riaforge.org/
Portcullis is a CFC based url,form,cookie filter to help protect against SQL Injection and XSS (Cross Site Scripting) attacks. This CFC can help filter input, strip tags and escape HTML based on internal settings. It can also log attacks and temporarily block future attempts based on a set time limit. Portcullis can be installed into any ColdFusion application as a simple shared scoped singleton.
....
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
shariff_pashaAuthor Commented:
yah i have seen that CFC and its good i will implement that and for general info can you tell how to accomplish the above task..
0
_agx_Commented:
Honestly, it's VERY tricky.  You could come up with something that would work in that case _only_, but chances are it's break tomorrow. As there's a million more cases it won't handle.  I'm NOT an expert on filtering :)  That's why I suggested a pre-built cfc.  Rather recommending you implement something yourself (that probably won't work), take a look inside one of the pre-built cfc's and see how _they_ do it :).  Because the home grown stuff doesn't just doesn't work here.

There's all kinds of ways to inject a keyword like DROP into a query string. Here's one most people wouldn't catch:  http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html

Good Luck!
0
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

_agx_Commented:
BTW:  I won't recommend something I know is a bad idea or will cause problems. However, since I didn't answer the question for you, I won't be offended if you choose to wait for other responses or even prefer delete this question and try again.  No hard feelings.
0
Gurpreet Singh RandhawaCEOCommented:
Well agx is right if u still wanna ur own solution here it is:

works for me instead:

<cftry>
    <CFSET SQL_Words="[ ;](insert +into.+values|drop +table|create +table)">
    <CFLOOP COLLECTION="#url#" ITEM="var">
      <CFIF IsSimpleValue(Evaluate(var)) AND REFindNoCase(SQL_Words, Evaluate(var)) NEQ 0>
        <CFTHROW TYPE="SQLAttack" MESSAGE="Invalid URL value passed.">
      </CFIF>
    </CFLOOP>
    <CFLOOP COLLECTION="#form#" ITEM="var">
      <CFIF IsSimpleValue(Evaluate(var)) AND REFindNoCase(SQL_Words, Evaluate(var)) NEQ 0>
        <CFTHROW TYPE="SQLAttack" MESSAGE="Invalid Form value passed.">
      </CFIF>
    </CFLOOP>
    <cfcatch type="any">
      <div align="center">
        <h3><cfoutput>#cfcatch.Detail#</cfoutput></h3>
      </div>
      <cfabort>
    </cfcatch>
  </cftry>
0
Gurpreet Singh RandhawaCEOCommented:
use this in Application.cfc OnRequestStart method
0
Gurpreet Singh RandhawaCEOCommented:
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Servers

From novice to tech pro — start learning today.