SQL Injection Protection for dynamic queries

Posted by jbugeja on Stack Overflow See other posts from Stack Overflow or by jbugeja
Published on 2010-06-09T05:59:22Z Indexed on 2010/06/09 6:02 UTC
Read the original article Hit count: 640

Filed under:
|

The typical controls against SQL injection flaws are to use bind variables (cfqueryparam tag), validation of string data and to turn to stored procedures for the actual SQL layer. This is all fine and I agree, however what if the site is a legacy one and it features a lot of dynamic queries. Then, rewriting all the queries is a herculean task and it requires an extensive period of regression and performance testing. I was thinking of using a dynamic SQL filter and calling it prior to calling cfquery for the actual execution.

I found one filter in CFLib.org (http://www.cflib.org/udf/sqlSafe):

<cfscript>
/**
* Cleans string of potential sql injection.
*
* @param string      String to modify. (Required)
* @return Returns a string.
* @author Bryan Murphy ([email protected])
* @version 1, May 26, 2005
*/
function metaguardSQLSafe(string) {
var sqlList = "-- ,'";
var replacementList = "#chr(38)##chr(35)##chr(52)##chr(53)##chr(59)##chr(38)##chr(35)##chr(52)##chr(53)##chr(59)# , #chr(38)##chr(35)##chr(51)##chr(57)##chr(59)#";

return trim(replaceList( string , sqlList , replacementList ));
}
</cfscript>

This seems to be quite a simple filter and I would like to know if there are ways to improve it or to come up with a better solution?

© Stack Overflow or respective owner

Related posts about coldfusion

Related posts about owasp