Glyn Jackson's Web Design and ColdFusion Blog - Security

SQL Injection and CFQUERYPARAM

Tue, 12 Aug 2008 22:28:00 +0100

Attacks using SQL injection is not new and any websites passing parameters in to an SQL string and running them on the fly can be vulnerable to these types of attacks. However recently these types of attacks have been on the increases within the ColdFusion Community.

If you don't know what SQL Injection is, basically SQL injection attack happens when someone or maybe some program tries to add, delete or change data in your online database by making changes to the query string that is passed in an URL/FORM. [More]

HTTP to HTTPS redirect

Mon, 28 Jul 2008 14:12:00 +0100

In some of my applications I only want the user to connect on a Secure Sockets Layer (SSL). I have already installed my SSL Cert and need to know how to force any traffic not on SSL to be on SSL.

An example of when you may want to do this could be when a user on your site is entering sensitive information such as credit card details.

Its not good to rely on the fact you have taken them via a post to a https page, your user could change the URL or gets to your page in a different way. You should always make sure they are on a SSL.

Note: The example below will depend on the particular cgi variables available on your own server .

[More]

Longer Session Tokens

Mon, 28 Jul 2008 13:46:00 +0100

Like most of my web applications I use sessions at some point to store information such as login information. I do this by utilizing Session Tokens so that the server can identity who is who. However if you have ever looked at the default session id you may have noticed it is relative easy to guess. If your using the Coldfusion Default Session Management it's made up of the Application name, CFID and CFTOKEN. This creates a unique session ID apart from the app name its only numbers NOT letters or any special characters.

[More]