• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

TeraTech

The ColdFusion Experts: Develop | Secure | Optimize

  • Services
    • Consulting
    • Crash
    • Development
    • Maintenance
    • Modernization
    • Security
  • About Us
  • Testimonials
  • Free Assessment
  • Get in touch!

  • Services
    • Consulting
    • Crash
    • Development
    • Maintenance
    • Modernization
    • Security
  • About Us
  • Testimonials
  • Free Assessment
  • Get in touch!

Preventing SQL Injection Attacks

January 17, 2025 By Michaela Light Leave a Comment

 

SQL Injection can damage your website’s data and spread to other sites in your organization. This article explains how it works and how you can prevent it.

Exploited vulnerabilities:

A SQL Injection attack relies on the someone sending an HTTP request (web site visitor) being able to add SQL commands to a URL or form variable, and have it sent in a SQL query so that the SQL Server runs it as another SQL command. Any text passed along in URL or form variables can be modified by the user, or automated. URL/Form variables should only be treated as data, and never trusted.  (See http://www.forta.com/blog/index.cfm/2005/12/21/SQL-Injection-Attacks-Easy-To-Prevent-But-Apparently-Still-Ignored for a quick description). If text entered in the URL can get run on the database server as a SQL command, then a malicious user can pass any SQL commands that that SQL login has access to, including making malicious edits, reading from system tables for the database, bypassing site login code, or possibly (if the SQL login has permissions) creating or deleting tables. 

Over the past few months (since about May 2008) there’s been an automated SQL Injection attack running against first just ASP sites, then others, and now ColdFusion sites (searching for URLs containing “.cfm” files). It tries to pass a SQL script in a URL variable to each page, on the hope that at least some pages will pass it directly to the database in a way that the database server will execute them. (See http://www.coldfusionmuse.com/index.cfm/2008/7/18/Injection-Using-CAST-And-ASCII for details on how this SQL works.) 

The malicious SQL script used in this attack loops over system tables (sysobjects, syscolumns) to find character fields in all user tables, and append an HTML string to all character fields, assuming that at least some of those columns will be output directly on some other web page. This HTML string includes a JavaScript block, which will get the browser to download and run that JavaScript URL. (This JS URL will probably change quite often, but will be available enough to be downloaded.) Apparently, this script then turns the browser hitting the page displaying that data into a “bot” to hit other servers, and can do anything that Javascript in the browser can do, especially exploiting browser vulnerabilities.

It only requires successfully hitting one page on one site to get into that database, then the HTML would be displayed on whatever site uses those tables and columns.

The best way to prevent, is to make sure any data passed to SQL queries is only treated as data. All CF Queries should be parameterized (use CFQueryparam to pass the values in).

 

Action taken for containment:

The best permanent fix is for each and every query to be parameterized, so that no user-supplied text is passed to the database directly.   

There are some ways to block some of the SQL keywords in URL and form variables; this is not guaranteed to match, and may have some false positives, but will buy time to protect all queries. 

We set up some CF code on most public sites, set up in Application.cfm (runs at beginning of each request) to search for these SQL keywords in the URL and then abort the page.

 

Action taken for resolution and recovery:

The best permanent fix is for each and every query to be parameterized, so that no user-supplied text is passed to the database directly.   

In the meantime, block those SQL keywords either through CF code (we put on most public sites) or through rewrite rules. 

To repair the infected database, we are running a SQL script similar to the injected SQL to remove the appended HTML from those columns it was added to.

 

Further recommendations:

  • Have daily backups of all databases.
  • Regular backups of code.
  • Do a security audit on your site (TeraTech can do this)
  • Better CF regex filtering of url/form variables at application level
    • May block this set of attacks enough to buy time.
    • Not a replacement for parameterizing all queries.
  • Blocking on webserver level, using rewrite rules. We haven’t quite found a set of rules that work reliably, but will keep looking.
    • May block this set of attacks enough to buy time.
    • Not a replacement for parameterizing all queries.
    • open-source Ionics ISAPI rewrite filter http://www.codeplex.com/IIRF/
      • Filter requires a copy of the DLL and INI file in separate folder for each site, then point each site to that DLL
    • Helicon ISAPI Rewrite (commercial): http://www.isapirewrite.com/
    • Backup the rule configuration files
  • Optionally, look at an application firewall that can block certain types of requests. Rules are options. Not guaranteed to block everything, and can have false positives, but protects the whole server and individual sites, and is highly configurable. Again, not a replacement for parameterizing all queries.
    • Applicure dotDefender; $4000 for a server
      • http://www.applicure.com/
  • Each and every query should pass variables to database using CFQueryParam. Use QueryParam scanner (http://qpscanner.riaforge.org/) on source folders to find queries that might be missing.
  • Any code that uses URL or Form-supplied values to determine SQL columns or sort order, should check against a list of valid columns etc. Don’t use those values directly in the query without checking.
  • If you have cached queries that get user-entered values, CF before 8.01 doesn’t allow caching queries that use cfqueryparam. Consider other options, like caching the query without that WHERE clause and then doing a query on that query.
  • Validate form fields; check values of ID fields entered in URL before getting to query, then display nicer message to user and don’t need to send an error message.

 

Resources: 

Good description on how this attack works:

http://www.coldfusionmuse.com/index.cfm/2008/7/18/Injection-Using-CAST-And-ASCII

 

on Ben Forta’s blog:

http://www.forta.com/blog/index.cfm/2005/12/21/SQL-Injection-Attacks-Easy-To-Prevent-But-Apparently-Still-Ignored

http://www.forta.com/blog/index.cfm/2008/7/22/For-Goodness-Sake-Use-CFQUERYPARAM-Already

http://www.forta.com/blog/index.cfm/2008/7/23/Hacker-Webzine-Recommends-Use-Of-CFQUERYPARAM

 

 

QueryParam scanner (search CF code for queries that are probably missing cfqueryparam):

http://qpscanner.riaforge.org/

 

HP Scrawlr: finds web pages vulnerable to SQL injection attacks on your own sites.

http://www.communities.hp.com/securitysoftware/blogs/spilabs/archive/2008/06/23/finding-sql-injection-with-scrawlr.aspx

  • Facebook
  • Twitter
  • LinkedIn

Related Posts

  • 7 Steps To Get The Best Coldfusion Web Application Performance
  • SQL vs NoSQL (Top 4 Key Differences Explained)
  • SQL Reserved word or not, that is the question
  • SQL tricks – creative JOINs with legacy data

Filed Under: SQL

← Previous Post ColdFusion 9 Details
Next Post → USB Toaster

Primary Sidebar

Popular podcast episodes

  • Revealing ColdFusion 2021 – Rakshith Naresh
  • CF and Angular – Nolan Erck
  • Migrating legacy CFML – Nolan Erck
  • Adobe API manager – Brian Sappey
  • Improve your CFML code – Kai Koenig

CF Alive Best Practices Checklist

Modern ColdFusion development best practices that reduce stress, inefficiency, project lifecycle costs while simultaneously increasing project velocity and innovation.

Get your checklist

Top articles

  • CF Hosting (independent guide)
  • What is Adobe ColdFusion
  • Is Lucee CFML now better than ACF?
  • Is CF dead?
  • Learn CF (comprehensive list of resources)

Recent Posts

  • 141 Into The Box 2025 ColdFusion conference (all the details) with Daniel Garcia – Transcript
  • 141 Into The Box 2025 ColdFusion conference (all the details) with Daniel Garcia
  • 107 ColdFusion 2021 Revealing Details on How it was Created with Rakshith Naresh
  • The Legacy Continues: ColdFusion Summit East Conference Edition
  • 140 BoxLang modern JVM language that runs CFML code (new CFML engine and much more) with Luis Majano and Brad Wood – Transcript

Categories

  • Adobe ColdFusion 11 and older
  • Adobe ColdFusion 2018
  • Adobe ColdFusion 2020 Beta
  • Adobe ColdFusion 2021
  • Adobe ColdFusion 2023
  • Adobe ColdFusion 2024
  • Adobe ColdFusion 2025
  • Adobe ColdFusion Developer week
  • Adobe ColdFusion Project Stratus
  • Adobe ColdFusion Summit
  • AWS
  • BoxLang
  • CF Alive
  • CF Alive Podcast
  • CF Camp
  • CF Tags
  • CF Vs. Other Languages
  • CFEclipse
  • CFML
  • CFML Open- Source
  • CFUnited
  • ColdBox
  • ColdFusion and other news
  • ColdFusion Community
  • ColdFusion Conference
  • ColdFusion Consulting
  • ColdFusion Developer
  • ColdFusion Development
  • ColdFusion Hosting
  • ColdFusion Maintenance
  • ColdFusion Performance Tuning
  • ColdFusion Projects
  • ColdFusion Roadmap
  • ColdFusion Security
  • ColdFusion Training
  • ColdFusion's AI
  • CommandBox
  • Docker
  • Fixinator
  • Frameworks
  • Fusebox
  • FusionReactor
  • IntoTheBox Conference
  • Java
  • JavaScript
  • JVM
  • Learn CFML
  • Learn ColdFusion
  • Legacy Code
  • Load Testing
  • Lucee
  • Mindmapping
  • MockBox
  • Modernize ColdFusion
  • Ortus Developer Week
  • Ortus Roadshow
  • Server Crash
  • Server Software
  • Server Tuning
  • SQL
  • Survey
  • Survey results
  • TestBox
  • Transcript
  • Webinar
  • Women in Tech

TeraTech

  • About Us
  • Contact

Services

  • Free assessment
  • Consulting
  • Crash
  • Development
  • Maintenance
  • Modernization
  • Security
  • Case Studies

Resources

  • CF Alive Book
  • CF Alive Podcast
    • Podcast Guest Schedule
  • TeraTech Blog
  • CF Alive resources
  • CF e-course
  • CF best practice checklist

Community

  • CF Alive
  • CF Inner Circle
  • CF Facebook Group

TeraTech Inc
451 Hungerford Drive Suite 119
Rockville, MD 20850

Tel : +1 (301) 424 3903
Fax: +1 (301) 762 8185

Follow us on Facebook Follow us on LinkedIn Follow us on Twitter Follow us on Pinterest Follow us on YouTube



Copyright © 1998–2025 TeraTech Inc. All rights Reserved. Privacy Policy.