Programming Help

Web Development

What's Here?

Members: 109,491
Replies: 414,275
Topics: 62,995
Snippets: 2,288
Tutorials: 610
Total Online: 1,187
Members: 62
Guests: 1,125

Who's Online?

Dream.In.Code > Programming Help > ColdFusion

Welcome to Dream.In.Code
	Getting Help is Easy! Join 109,491 Programmers for FREE! Ask your question and get quick answers from experts. There are 1,187 online right now! We've got more than 500 tutorials and 2,000 snippets. Join and find out why Dream.In.Code is the #1 programming help community on the internet! Registration is fast and FREE... Join Now! Chat LIVE With a Expert Register to Make This Box Go Away!

Help me fix sql injection please

Reply to this topic

Start new topic

Help me fix sql injection please

codezlimit	1 Aug, 2007 - 01:41 AM Post #1
New D.I.C Head Joined: 1 Aug, 2007 Posts: 1 My Contributions	Hi all, i have no knowledge about cfm language at all, but just because i want to fix my website, i have been trying to read cfm article the whole day. anyway, i know we can using cfqueryparam to fix sql injection , however the problem is i don't know where to put cfqueryparam into my script, can you one please help me out. would be really appreciated. people can injection my data like this: http://mysite.com/prod?prodid=1;delete my table below r my script: i know, i need to do something on #prodid#, but no clue what and how to do CODE <cfsetting enablecfoutputonly="yes"> <cfparam name="AdditionalShipping" default="0"> <cfinclude template="/cfmIncludes/header.cfm"> <cfinclude template="/cfmIncludes/qGetProducts.cfm"> <cfoutput> <tr> <td valign="top" colspan="2"> <table border="0" cellpadding="0" cellspacing="0" width="750" height="100%" align="center"> <tr> <td bgcolor="E1E1E1" align="center" valign="top" width="155"> <!--- START of Left Side ---> <cfinclude template="/cfmIncludes/becomeMember.inc"> <cfinclude template="/cfmIncludes/platformButtons.inc"> <!--- END of Left Side ---> </td><td width="432" align="center" valign="top"> <!--- START of Center ---> <table border="0" cellpadding="0" cellspacing="0" width="420" height="100%" align="center"> <!--- Platform Title Head ---> <cfif IsDefined("PlatformID") AND PlatformID GT 0> <tr> <td height="50" valign="top"><img src="#Application.SiteURL#media/images/contentHdr_#PlatformID#.gif" width="420" height="50" alt="" border="0"></td> </tr> </cfif> <tr> <td valign="top"> <!--- START of Content ---> <table border="0" <cfif IsDefined("PlatformID") AND PlatformID GT 0>background="media/images/Wtrmk_#PlatformID#.gif" </cfif>cellpadding="4" cellspacing="0" width="100%"> <style type="text/css"> .categoryLink { FONT-FAMILY: VERDANA; FONT-SIZE: 7PT; FONT-WEIGHT: BOLD; COLOR: ##000000; } .categoryLink A:LINK { FONT-FAMILY: VERDANA; FONT-SIZE: 7PT; FONT-WEIGHT: BOLD; COLOR: #checkPlatformID.PlatformColor#; TEXT-DECORATION: NONE; } .categoryLink A:HOVER { FONT-FAMILY: VERDANA; FONT-SIZE: 7PT; FONT-WEIGHT: BOLD; COLOR: BLACK; TEXT-DECORATION: NONE; } .categoryLink A:ACTIVE { FONT-FAMILY: VERDANA; FONT-SIZE: 7PT; FONT-WEIGHT: BOLD; COLOR: BLACK; TEXT-DECORATION: NONE; } .categoryLink A:VISITED { FONT-FAMILY: VERDANA; FONT-SIZE: 7PT; FONT-WEIGHT: BOLD; COLOR: #checkPlatformID.PlatformColor#; TEXT-DECORATION: NONE; } .categoryLink A:VISITED:HOVER { FONT-FAMILY: VERDANA; FONT-SIZE: 7PT; FONT-WEIGHT: BOLD; COLOR: BLACK; TEXT-DECORATION: NONE; } </style> <cfinclude template="/cfmIncludes/categoryLinks.inc"> <cfif IsDefined("URL.ViewACC")> <cfinclude template="/cfmIncludes/sortACC.cfm"> <cfelse> <cfinclude template="/cfmIncludes/sortBy.inc"> </cfif> <cfif Sort EQ 1 AND NOT IsDefined("URL.ViewACC")> <cfinclude template="/cfmIncludes/sortAlpha.cfm"> <cfelseif Sort EQ 2> <cfinclude template="/cfmIncludes/sortRating.cfm"> <cfelseif Sort EQ 4> <cfinclude template="/cfmIncludes/sortAvail.cfm"> </cfif> <tr valign="top"> <td valign="top"> <table border="0" cellpadding="2" cellspacing="0" width="410" align="center"> <cfloop query="qGetProducts" startrow="#startrow#" endrow="#endrow#"> <!--- PlatformID = <cfdump var="#PlatformID#"><br> ---> <tr valign="top"><form action="#Application.SecureURL#cart/addItem.cfm" method="post" name="prodid#prodid#"> <td width="<cfif (PlatformID is 7) OR (PlatformID is 4)>85<cfelse>70</cfif>" valign="top" align="center" height="100%"> <cfif IsDefined("qGetProducts.ProductID")> <cfif FileExists("#Application.PhysicalPath#\media\images\product\#ProductID#_1.#MediaExt#")> <a href="#Application.SiteURL#prod.cfm?ProductID=#ProductID#"><img src="#Application.SiteURL#media/images/product/#ProductID#_1.#MediaExt#" alt="#ProductName#" border="0"></a> <cfelse> <a href="#Application.SiteURL#prod.cfm?ProductID=#ProductID#"><img src="#Application.SiteURL#media/images/no_image_thumb.jpg" border="0"></a> </cfif> <cfelse> <cfif FileExists("#Application.PhysicalPath#\media\images\parentproduct\#prodid#_6.#MediaExt#")> <a href="#Application.SiteURL#prod.cfm?PlatformID=#PlatformID#&prodid=#prodid#"><img src="#Application.SiteURL#media/images/parentproduct/#prodid#_6.#MediaExt#" alt="#ProductName#" border="0"></a> <cfelse> <a href="#Application.SiteURL#prod.cfm?PlatformID=#PlatformID#&prodid=#prodid#"><img src="#Application.SiteURL#media/images/no_image_thumb.jpg" border="0"></a> </cfif> </cfif> </td> <td width="180" class="productDetail" valign="top"> <input type="hidden" name="PlatformID" value="#PlatformID#"> <input type="hidden" name="prodid" value="#prodid#"> <input type="hidden" name="Quantity" value="1"> <cfif IsDefined("session.LRef")> <input type="hidden" name="vRef" value="#session.LRef#"> </cfif> <a href="#Application.SiteURL#prod.cfm?<cfif IsDefined("ProductID")>ProductID=#ProductID#<cfelse>prodid=#prodid#</cfif>"><span class="altHead">#ProductName#</span></a><br> <br> <b>Genre:</b> #GenreName# <br> <b>Rating:</b> #Rating# <cfif IsDefined("URL.prodid") OR NOT IsDefined("URL.PlatformID") AND IsDefined("PlaformName")> <br><strong>Platform: <span style="color: ###platformColor#;">#PlatformName#</span></strong> </cfif> <cfif ReleaseDate NEQ "" AND DateCompare(ReleaseDate, Now()) EQ 1> <br> <span class="productNoteNormal">Available:<br>#DateFormat(ReleaseDate, "dddd, mmmm d, yyyy")#</span> </cfif> </td> <td class="productDetail" valign="top" width="70"> <cfif Showcfm EQ 1> <input type="image" src="#Application.SiteURL#media/images/btn_addcart.gif" alt="Add to Cart" border="0"> <cfelse> <img src="#Application.SiteURL#media/images/Btn_OutOfStock.gif" alt="Out Of Stock" border="0"> </cfif> <br> <b>Member:</b><br> <span class="priceMember">#DollarFormat(MemberPrice)#</span><br> </td> <td class="productDetail" valign="top" width="70"> <input type="image" src="#Application.SiteURL#media/images/btn_addwish.gif" alt="Add to Wish List" border="0" name="wish"> <br> <b>Non-Member:</b><br> <span class="priceNonMember">#DollarFormat(NonMemberPrice)#</span> </td> </tr></form> <tr><td colspan="4" align="center" height="100%" valign="top"><hr size="1" width="100%" align="center" noshade></td></tr> </cfloop> <cfif qGetProducts.RecordCount EQ 0> <tr><td colspan="4" align="center" height="100%" valign="top"><br><br><br>Sorry. No products match your criteria.<br><br><br></td></tr> </cfif> </table> </td> </tr> <cfif IsDefined("URL.ViewACC")> <cfinclude template="/cfmIncludes/sortACC.cfm"> <cfelse> <cfinclude template="/cfmIncludes/sortBy.inc"> </cfif> </table> <!--- END of Content ---> </td> </tr> </table> <!--- END of Center ---> </td><td bgcolor="E1E1E1" align="right" valign="top" width="155"> <!--- START of Right Side ---> <cfinclude template="/cfmIncludes/searchForm.inc"> <cfinclude template="/cfmIncludes/comingAttractions.inc"> <cfinclude template="/cfmIncludes/oldSchool.cfm"> <!--- END of Right Side ---> </td> </tr> </table> <cfinclude template="/cfmIncludes/footer.cfm"> </cfoutput> <cfsetting enablecfoutputonly="no"> This post has been edited by codezlimit: 1 Aug, 2007 - 01:42 AM
	This Post Was Helpful! ^New!

Register for Free to Make This Ad Go Away!

PsychoCoder	5 Aug, 2007 - 10:13 PM Post #2
DIC.Rules == true; Joined: 26 Jul, 2007 Posts: 7,245 Thanked 52 times Dream Kudos: 7775 Expert In: VB, VB.Net, C#, SQL, ASP, ASP.Net, Web Development, HTML, CSS, Win32 API, Javascript, mySQL, J#, GDI, Boo.Net My Contributions	Using the CFQUERYPARAM like this CODE <CFQUERY name="qGetItemDetail" datasource="YourDataSource"> SELECT * FROM Item WHERE ItemID = <CFQUERYPARAM CFSQLTYPE="CF_SQL_INTEGER" VALUE="#URL.ItemID#"> </CFQUERY> So you find in your site where the queries are happening to the database and add a <CFQUERYPARAM> like above Happy Coding!
	This Post Was Helpful! ^New!

amirsegal	12 Jun, 2008 - 02:04 PM Post #3
New D.I.C Head Joined: 12 Jun, 2008 Posts: 1	If this helps, please review: http://www.cheergallery.com/SQLInjectionHelp.html for a quick filter to block SQL Injection attacks. Amir Segal, Programmer
	This Post Was Helpful! ^New!

Fast Reply

Reply to this topic

Start new topic

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Time is now: 9/7/08 02:10PM

Invision Power Board v2.1.7 © 2008 IPS, Inc.

Licensed to: MediaGroup1

Advertising | Terms of Use | Privacy Policy | About Us | Site Map

Forum Index: Programming Help | C and C++ | Visual Basic | Java | VB.NET | C# | ASP.NET | PHP | ColdFusion | Perl and Python | Ruby | Databases | Other Languages | Game Programming | Software Development | Computer Science | Industry News | Programming Tutorials | C++ Tutorials | Visual Basic Tutorials | Java Tutorials | VB.NET Tutorials | C# Tutorials | PHP Tutorials | Linux Tutorials | ColdFusion Tutorials | Windows Tutorials | HTML/JavaScript Tutorials | CSS Tutorials | Flash Tutorials | Web Promotion Tutorials | Photoshop Tutorials | Software Development Tutorials | Database Tutorials | Other Language Tutorials |

Copyright 2001-2008 MediaGroup1 LLC, All Rights Reserved
A MediaGroup1 LLC Production - Version 6.0.2.1.36

Search^Updated!w00t

Over 509,000 Pages! Advanced Forum Search

Live Help!

Tutorials

Programming

Web Development

Reference Sheets

Code Snippets

Bye Bye Ads

Free DIC T-Shirt

T-Shirt Example

Related Sites

Monthly Drawing

Partners

Top Contributors

Top 10 Kudos This Month