Attacks using SQL injection is not new and any websites passing parameters in to an SQL string and running them on the fly can be vulnerable to these types of attacks. However recently these types of attacks have been on the increases within the ColdFusion Community.

If you don't know what SQL Injection is, basically SQL injection attack happens when someone or maybe some program tries to add, delete or change data in your online database by making changes to the query string that is passed in an URL/FORM. I have been chatting to a friend who has been affected by these attacks and I find it hard to believe that there are still ColdFusion developers (with much more experience than I) not using cfqueryparam (I won't name, names). The recent attacks have involved an automated insert of some various HTML along with a reference to a javascript file.

This is not just an issue that affects small websites. A corporate site I worked on not so long ago had protected logins but forgot the 'forgot password field'. I purposely broke the site to force an error and within minutes I have the table name and fields. If I had continued I could have possibly dropped tables, or inserted into the database.

How to protect yourself

1) Be paranoid, if your website or application allows your users to pass parameters in to an SQL string, treat it as an attack. Make sure you clean all incoming data. Start by using the CFQUERYPARAM tag. This tag has bee around since ColdFusion 4.

2) Don't make it easy to guess what your database fields are called. If your form field is called 'accID' don't call it 'accID' in the database also, too easy.

3) If you only need to read from your database make sure you only give the db user read permissions.

4) Handle your errors, don't give away anything! Make it harder for your attacker to guess your table names. Use Try and Catch statements, implement the onError method (application.cfc) show nothing that gives away the structure of your database.

5) Check the page referrer. Lots of attackers will save a copy of the web page locally. Doing this allows them to change URL's (http to https) make changes to JavaScript validation and any other HTML elements. Don't let this happen. Always force the user onto SSL if used, check the page referrer to see where the post has come from.

Useful links

• Qpscanner scans your code looking for queries. For every query it finds, it will check if there are any CFML variables in that query that are not contained within a cfqueryparam tag.
• SQL Injection Attacks by Example
• Scrawlr
• SQL CheatSheet