Dream.In.Code > Programming Help > ColdFusion

Welcome to Dream.In.Code
	Getting Help is Easy! Join 132,430 Programmers for FREE! Get instant access to thousands of experts, tutorials, code snippets, and more! There are 1,482 people online right now. Registration is fast and FREE... Join Now! Chat LIVE With a Expert

Help me fix sql injection please

Reply to this topic

Start new topic

Help me fix sql injection please

codezlimit	1 Aug, 2007 - 12:41 AM Post #1
New D.I.C Head Joined: 1 Aug, 2007 Posts: 1 My Contributions	Hi all, i have no knowledge about cfm language at all, but just because i want to fix my website, i have been trying to read cfm article the whole day. anyway, i know we can using cfqueryparam to fix sql injection , however the problem is i don't know where to put cfqueryparam into my script, can you one please help me out. would be really appreciated. people can injection my data like this: http://mysite.com/prod?prodid=1;delete my table below r my script: i know, i need to do something on #prodid#, but no clue what and how to do CODE <cfsetting enablecfoutputonly="yes"> <cfparam name="AdditionalShipping" default="0"> <cfinclude template="/cfmIncludes/header.cfm"> <cfinclude template="/cfmIncludes/qGetProducts.cfm"> <cfoutput> <tr> <td valign="top" colspan="2"> <table border="0" cellpadding="0" cellspacing="0" width="750" height="100%" align="center"> <tr> <td bgcolor="E1E1E1" align="center" valign="top" width="155"> <!--- START of Left Side ---> <cfinclude template="/cfmIncludes/becomeMember.inc"> <cfinclude template="/cfmIncludes/platformButtons.inc"> <!--- END of Left Side ---> </td><td width="432" align="center" valign="top"> <!--- START of Center ---> <table border="0" cellpadding="0" cellspacing="0" width="420" height="100%" align="center"> <!--- Platform Title Head ---> <cfif IsDefined("PlatformID") AND PlatformID GT 0> <tr> <td height="50" valign="top"><img src="#Application.SiteURL#media/images/contentHdr_#PlatformID#.gif" width="420" height="50" alt="" border="0"></td> </tr> </cfif> <tr> <td valign="top"> <!--- START of Content ---> <table border="0" <cfif IsDefined("PlatformID") AND PlatformID GT 0>background="media/images/Wtrmk_#PlatformID#.gif" </cfif>cellpadding="4" cellspacing="0" width="100%"> <style type="text/css"> .categoryLink { FONT-FAMILY: VERDANA; FONT-SIZE: 7PT; FONT-WEIGHT: BOLD; COLOR: ##000000; } .categoryLink A:LINK { FONT-FAMILY: VERDANA; FONT-SIZE: 7PT; FONT-WEIGHT: BOLD; COLOR: #checkPlatformID.PlatformColor#; TEXT-DECORATION: NONE; } .categoryLink A:HOVER { FONT-FAMILY: VERDANA; FONT-SIZE: 7PT; FONT-WEIGHT: BOLD; COLOR: BLACK; TEXT-DECORATION: NONE; } .categoryLink A:ACTIVE { FONT-FAMILY: VERDANA; FONT-SIZE: 7PT; FONT-WEIGHT: BOLD; COLOR: BLACK; TEXT-DECORATION: NONE; } .categoryLink A:VISITED { FONT-FAMILY: VERDANA; FONT-SIZE: 7PT; FONT-WEIGHT: BOLD; COLOR: #checkPlatformID.PlatformColor#; TEXT-DECORATION: NONE; } .categoryLink A:VISITED:HOVER { FONT-FAMILY: VERDANA; FONT-SIZE: 7PT; FONT-WEIGHT: BOLD; COLOR: BLACK; TEXT-DECORATION: NONE; } </style> <cfinclude template="/cfmIncludes/categoryLinks.inc"> <cfif IsDefined("URL.ViewACC")> <cfinclude template="/cfmIncludes/sortACC.cfm"> <cfelse> <cfinclude template="/cfmIncludes/sortBy.inc"> </cfif> <cfif Sort EQ 1 AND NOT IsDefined("URL.ViewACC")> <cfinclude template="/cfmIncludes/sortAlpha.cfm"> <cfelseif Sort EQ 2> <cfinclude template="/cfmIncludes/sortRating.cfm"> <cfelseif Sort EQ 4> <cfinclude template="/cfmIncludes/sortAvail.cfm"> </cfif> <tr valign="top"> <td valign="top"> <table border="0" cellpadding="2" cellspacing="0" width="410" align="center"> <cfloop query="qGetProducts" startrow="#startrow#" endrow="#endrow#"> <!--- PlatformID = <cfdump var="#PlatformID#"><br> ---> <tr valign="top"><form action="#Application.SecureURL#cart/addItem.cfm" method="post" name="prodid#prodid#"> <td width="<cfif (PlatformID is 7) OR (PlatformID is 4)>85<cfelse>70</cfif>" valign="top" align="center" height="100%"> <cfif IsDefined("qGetProducts.ProductID")> <cfif FileExists("#Application.PhysicalPath#\media\images\product\#ProductID#_1.#MediaExt#")> <a href="#Application.SiteURL#prod.cfm?ProductID=#ProductID#"><img src="#Application.SiteURL#media/images/product/#ProductID#_1.#MediaExt#" alt="#ProductName#" border="0"></a> <cfelse> <a href="#Application.SiteURL#prod.cfm?ProductID=#ProductID#"><img src="#Application.SiteURL#media/images/no_image_thumb.jpg" border="0"></a> </cfif> <cfelse> <cfif FileExists("#Application.PhysicalPath#\media\images\parentproduct\#prodid#_6.#MediaExt#")> <a href="#Application.SiteURL#prod.cfm?PlatformID=#PlatformID#&prodid=#prodid#"><img src="#Application.SiteURL#media/images/parentproduct/#prodid#_6.#MediaExt#" alt="#ProductName#" border="0"></a> <cfelse> <a href="#Application.SiteURL#prod.cfm?PlatformID=#PlatformID#&prodid=#prodid#"><img src="#Application.SiteURL#media/images/no_image_thumb.jpg" border="0"></a> </cfif> </cfif> </td> <td width="180" class="productDetail" valign="top"> <input type="hidden" name="PlatformID" value="#PlatformID#"> <input type="hidden" name="prodid" value="#prodid#"> <input type="hidden" name="Quantity" value="1"> <cfif IsDefined("session.LRef")> <input type="hidden" name="vRef" value="#session.LRef#"> </cfif> <a href="#Application.SiteURL#prod.cfm?<cfif IsDefined("ProductID")>ProductID=#ProductID#<cfelse>prodid=#prodid#</cfif>"><span class="altHead">#ProductName#</span></a><br> <br> <b>Genre:</b> #GenreName# <br> <b>Rating:</b> #Rating# <cfif IsDefined("URL.prodid") OR NOT IsDefined("URL.PlatformID") AND IsDefined("PlaformName")> <br><strong>Platform: <span style="color: ###platformColor#;">#PlatformName#</span></strong> </cfif> <cfif ReleaseDate NEQ "" AND DateCompare(ReleaseDate, Now()) EQ 1> <br> <span class="productNoteNormal">Available:<br>#DateFormat(ReleaseDate, "dddd, mmmm d, yyyy")#</span> </cfif> </td> <td class="productDetail" valign="top" width="70"> <cfif Showcfm EQ 1> <input type="image" src="#Application.SiteURL#media/images/btn_addcart.gif" alt="Add to Cart" border="0"> <cfelse> <img src="#Application.SiteURL#media/images/Btn_OutOfStock.gif" alt="Out Of Stock" border="0"> </cfif> <br> <b>Member:</b><br> <span class="priceMember">#DollarFormat(MemberPrice)#</span><br> </td> <td class="productDetail" valign="top" width="70"> <input type="image" src="#Application.SiteURL#media/images/btn_addwish.gif" alt="Add to Wish List" border="0" name="wish"> <br> <b>Non-Member:</b><br> <span class="priceNonMember">#DollarFormat(NonMemberPrice)#</span> </td> </tr></form> <tr><td colspan="4" align="center" height="100%" valign="top"><hr size="1" width="100%" align="center" noshade></td></tr> </cfloop> <cfif qGetProducts.RecordCount EQ 0> <tr><td colspan="4" align="center" height="100%" valign="top"><br><br><br>Sorry. No products match your criteria.<br><br><br></td></tr> </cfif> </table> </td> </tr> <cfif IsDefined("URL.ViewACC")> <cfinclude template="/cfmIncludes/sortACC.cfm"> <cfelse> <cfinclude template="/cfmIncludes/sortBy.inc"> </cfif> </table> <!--- END of Content ---> </td> </tr> </table> <!--- END of Center ---> </td><td bgcolor="E1E1E1" align="right" valign="top" width="155"> <!--- START of Right Side ---> <cfinclude template="/cfmIncludes/searchForm.inc"> <cfinclude template="/cfmIncludes/comingAttractions.inc"> <cfinclude template="/cfmIncludes/oldSchool.cfm"> <!--- END of Right Side ---> </td> </tr> </table> <cfinclude template="/cfmIncludes/footer.cfm"> </cfoutput> <cfsetting enablecfoutputonly="no"> This post has been edited by codezlimit: 1 Aug, 2007 - 12:42 AM
	This Post Was Helpful! ^New!


Register for Free to Make These Ads Go Away!

PsychoCoder	5 Aug, 2007 - 09:13 PM Post #2
using DIC.Core; Joined: 26 Jul, 2007 Posts: 8,923 Thanked 118 times Dream Kudos: 8475 Expert In: VB, VB.Net, C#, SQL, ASP, ASP.Net, Web Development, HTML, CSS, Win32 API, Javascript, mySQL, J#, Boo.Net My Contributions	Using the CFQUERYPARAM like this CODE <CFQUERY name="qGetItemDetail" datasource="YourDataSource"> SELECT * FROM Item WHERE ItemID = <CFQUERYPARAM CFSQLTYPE="CF_SQL_INTEGER" VALUE="#URL.ItemID#"> </CFQUERY> So you find in your site where the queries are happening to the database and add a <CFQUERYPARAM> like above Happy Coding!
	This Post Was Helpful! ^New!

amirsegal	12 Jun, 2008 - 01:04 PM Post #3
New D.I.C Head Joined: 12 Jun, 2008 Posts: 1	If this helps, please review: http://www.cheergallery.com/SQLInjectionHelp.html for a quick filter to block SQL Injection attacks. Amir Segal, Programmer
	This Post Was Helpful! ^New!

Fast Reply

Reply to this topic

Start new topic

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Time is now: 11/22/08 09:58AM

Invision Power Board v2.1.7 © 2008 IPS, Inc.

Licensed to: MediaGroup1

Advertising | Terms of Use | Privacy Policy | About Us | Site Map

Forum Index: Programming Help | C and C++ | Visual Basic | Java | VB.NET | C# | ASP.NET | PHP | ColdFusion | Perl and Python | Ruby | Databases | Other Languages | Game Programming | Software Development | Computer Science | Industry News | Programming Tutorials | C++ Tutorials | Visual Basic Tutorials | Java Tutorials | VB.NET Tutorials | C# Tutorials | PHP Tutorials | Linux Tutorials | ColdFusion Tutorials | Windows Tutorials | HTML/JavaScript Tutorials | CSS Tutorials | Flash Tutorials | Web Promotion Tutorials | Photoshop Tutorials | Software Development Tutorials | Database Tutorials | Other Language Tutorials |

Copyright 2001-2008 MediaGroup1 LLC, All Rights Reserved
A MediaGroup1 LLC Production - Version 6.0.2.1.36

Search^Updated!w00t

Over 509,000 Pages! Advanced Forum Search

Live Help!

Tutorials

Programming

Web Development

Reference Sheets

Code Snippets

Bye Bye Ads

Free DIC T-Shirt

T-Shirt Example

Related Sites

Monthly Drawing

Partners

Top Contributors

Top 10 Kudos This Month