Coldfusion, secure cfc's from SQL injection attacks
I have a bunch of external forms that post data into databases via CFC's.
What I do is
- Create the form w/ a postback
- In the post back create an object and map form data to the object (cfc)
- Use CFparam to do validation on the type and store in THIS. scope
- Call a custom method to scan strings to sterilize them from attacks (seems to work well)
- Cfquery to insert.
Is there anything else I can or should be doing to secure the application from SQL attacks on insert? I use CFqueryParam on select statements, should I also use in insert statements?
Example of a simple CFC:
<!--- Instance Veriables --->
<cfparam name="THIS.firstPrintedField" type="string" default="#NullString#" />
<cfparam name="THIS.SecondPrintedField" type="string" default="#NullString#" />
<cfparam name="THIS.participantFullName" type="string" default="#NullString#" />
<cfparam name="THIS.studentStatus" type="string" default="#NullString#" />
<cfparam name="THIS.dob" type="date" default="#NullDate#" />
<cfparam name="THIS.readAndUnderStood_Day" type="string" default="#NullString#" />
<cfparam name="THIS.readAndUnderStood_Month" type="string" default="#NullString#" />
<cfparam name="THIS.readAndUnderStood_Year" type="string" default="#NullString#" />
<cfparam name="THIS.agreeToTerms" type="boolean" default="#NullBool#" />
<cfparam name="THIS.guardianFirstName" type="string" default="#NullString#" />
<cfparam name="THIS.guardianMiddleName" type="string" default="#NullString#" />
<cfparam name="THIS.guardianLastName" type="string" default="#NullString#" />
<cfparam name="THIS.DateTimeSubmited" type="date" default="#NullDate#" />
<cffunction access="public" name="addRecords" returntype="boolean">
<cftry>
<!--- Sanitize the string properties --->
<cfset Sanitize() />
<cfquery datasource="#DSN#" name="qryAddRecords">
INSERT INTO mod_OutdoorProgram_Waivers
(
firstPrintedField
,SecondPrintedField
,participantFullName
,studentStatus
,dob
,readAndUnderStood_Day
,readAndUnderStood_Month
,readAndUnderStood_Year
,agreeToTerms
,guardianFirstName
开发者_如何学Go ,guardianMiddleName
,guardianLastName
)
VALUES
(
'#THIS.firstPrintedField#'
,'#THIS.SecondPrintedField#'
,'#THIS.participantFullName#'
,'#THIS.studentStatus#'
,'#THIS.dob#'
,'#THIS.readAndUnderStood_Day#'
,'#THIS.readAndUnderStood_Month#'
,'#THIS.readAndUnderStood_Year#'
,'#THIS.agreeToTerms#'
,'#THIS.guardianFirstName#'
,'#THIS.guardianMiddleName#'
,'#THIS.guardianLastName#'
)
</cfquery>
<cfcatch><cfreturn false /></cfcatch>
</cftry>
<cfreturn true />
</cffunction>
cfqueryparam should be used everywhere, as it is ColdFusions sql injection vulnerability solution.
Also, if you know for sure the site that is going to posting to your CFC's you can secure them with some logic to only accept connections from that particular site / IP Address...Just one more step to keep people from messing with your code...
精彩评论