Validate form input to protect against SQL Attack

sc0705837

Hi there I am trying to get my action page of the website I'm building to check to see if the form input values are empty, if they are not it will then check to see if any of the form inputs contain any SQL. I have read in some other places that you can use cfparam or cfqueryparam to stop this but I don't really know how to use them.

This is the code:

Expand|Select|Wrap|Line Numbers

 
<cfif len(form.username) EQ 0 OR len(form.password) EQ 0>

            <p>You did not enter a username or password</p>

            <p><a href="index.cfm">Please go back and try again</a></p>

          <cfelse>

            <cfquery name = "login" datasource="blah">

            SELECT login, password

            FROM member

            WHERE login = '#form.username#' AND password = '#form.password#'

            </cfquery>
 
            <cfif login.RecordCount GT 0>
 
              <cfif '#form.username#' EQ #login.login# AND '#form.password#' EQ #login.password#>

                  <p> Your name is right...</p>

                  <cfset session.memberLogin = #form.username#>

              <cfelse>

                  <p>Sorry incorrect username or password, please try again</p>

                  <cflocation url="index.cfm">

              </cfif>
 
              <cfoutput>

                  <cfif session.name IS "admin">

                      <cflocation url="index.cfm">

                  <cfelse>

                      <cflocation url="profile.cfm?un=#session.name#">

                  </cfif>

              </cfoutput>    
 
            <cfelse>

              <p>Sorry you entered an incorrect username/password</p>

              <p><a href="index.cfm">Try again here!</a></p>

            </cfif>
 
        </cfif>

Any help would be awesome, thanks.

jKara

Quote:

Originally Posted by sc0705837

....if they are not it will then check to see if any of the form inputs contain any SQL. I have read in some other places that you can use cfparam or cfqueryparam to stop this but I don't really know how to use them.

Expand|Select|Wrap|Line Numbers

 
            <cfquery name = "login" datasource="blah">

            SELECT login, password

            FROM member

            WHERE login = '#form.username#' AND password = '#form.password#'

            </cfquery>

It is cfqueryparam. It does not check to see if the inputs contain SQL, but rather _helps_ prevent malicious sql from being executed in the query by enforcing data type rules.

Using cfqueryparam is very simple. The most basic form requires only: "value" and "cfsqltype". The cfsqltype is a string value that represents the data type of your table column. The correct values to use are determined by database type, but some examples are: cf_sql_varchar, cf_sql_integer, etc...

You can find more information about cfqueryparam it in the online documentation
http://livedocs.adobe.com/coldfusion...gs_p-q_18.html

Expand|Select|Wrap|Line Numbers

 
...

FROM member

WHERE 

login = <cfqueryparam value="#form.username#" cfsqltype="cf_sql_varchar"> AND password = <cfqueryparam value="#form.password#" cfsqltype="cf_sql_varchar">

sc0705837

Right, thanks alot for the help, will just go set this up. Its only a student project so this minimal amount of protection should be good enough.

Thanks again!

Validate form input to protect against SQL Attack

re: Validate form input to protect against SQL Attack

re: Validate form input to protect against SQL Attack

Similar ColdFusion bytes

/bytes/development

/bytes/it

/bytes/other

/bytes/about