Skip to main content


Showing posts from August, 2008

protect your coldfusion site against sql injection attacks

As of this writing, a particularly virulent SQL injection spider attack is largely targeting sites running ColdFusion. Here's how the attack appears in server logs: The code creates a cursor of all the user tables and all the character columns in the database. It then appends a string to each of the columns, making an ungodly mess. Mark Kruger's post goes into a great deal of helpful detail about how this spider operates . If you do a Google search on this attack, you will quickly get a feeling for how widespread this is. If your site is getting hammered, and you need to buy time while you fix vulnerable code, there are scripts such as this one posted in ColdFusion Developer's Journal on August 8, 2008, which can be modified to thwart this most recent attack thus . Be aware that this only buys time. The most effective course is to make sure your queries are protected with cfqueryparam . Ben Forta's primer on cfqueryparam provides a very good start on prote