SQL Injection - cfqueryparam and other techniques to stop abuse?

Similar Messages

• Office 2004 and other applications suddenly stopped working

  All of a sudden I've been getting the following with any Office application, and other applications have been exhibiting strang behavior as well. Specifically the error with any Office is:
  "Application "could not be launched because of a shared
  library error: <"
  I can't even uninstall Office because the uninstall program generates the same error.
  Also, iChat no longer works (opens for a split second then closes without an error msg) and iMovie give the following bizarro error message:
  iMovie requires a “Quartz Extreme Compatible” graphics card. Certain iMovie features such as Themes, Ken Burns Photos, and Video FX may not work properly with your graphics card.
  I'm running an intel iMac (OSX 10.4.8)
  I have tried verifying & repairing permissions to no avail.
  Anyone have any ideas how I can fix this? <br>
  iMac   Mac OS X (10.4.8)  

  Visit The XLab FAQs and read the FAQ on troubleshooting shared library errors.
  Why reward points?(Quoted from Discussions Terms of Use.)
  The reward system helps to increase community participation. When a community member gives you (or another member) a reward for providing helpful advice or a solution to their question, your accumulated points will increase your status level within the community.
  Members may reward you with 5 points if they deem that your reply is helpful and 10 points if you post a solution to their issue. Likewise, when you mark a reply as Helpful or Solved in your own created topic, you will be awarding the respondent with the same point values.

• I use Adobe Flash player version 11.7.700.225 why do my YouTube and other videos keep stopping

  I use Adobe Flash player version 11.7.700.225 which is the latest version.  can anybody tell me why my YouTube and videos stop and I cannot view them I have a macbook pro with retina display late 2012 and I am running OSX 10.8.4. Do I need some other flash to view or what thanks for your time.

  noelenefromashford,
  I'm in the same boat. Safari 6.0.5, stalls, and stops playing video (youtube, vimeo, etc). I tried the same videos with Firefox and they play fine!
  Running 10.8.4 on Mac tower.
  I just switched from an older Macbook Pro 15" with the same OS version and browsers , and never had that issue. What gives?

• Power Book G4 , Spot Light and other search app stopped working

  When I use spot light on my iMac G5 it always worked , but has stopped working on my G4 Power book OS 10.4.7, I went to the new Apple store and was given a procedure to follow but it did not change the situation, Un fortunately I cant remember what it was , It involved dragging the hard drive into and application, should I just reinstall from the tiger CD ?
  G4 powerbook and iMac G5   Mac OS X (10.4.7)   iLife6

  Was it this procedure?
  http://docs.info.apple.com/article.html?artnum=301562

• Navigation and other features suddenly stopped working after I upgraded to FF4.

  A day or two after I upgraded from FF 3.6 to FF4, all the ordinary navigation features stopped working. Backspace/alt-<, even the back and forward arrows, Crtl-R to reload a page, and the address field doesn't show the current URL unless I click the identify information icon. All very odd. None of the keyboard shortcuts work.
  My bookmark toolbar does not load automatically, although I guess that Vista is the source of that issue.

  Doing a downgrade is not anything I have done or feel comfortable with. Is there a clean procedure to accomplish this?

• Remote App (and other network apps) Stop Connecting

  My network consists of the latest generation Time Capsule and Airport Express (for Air Tunes) with several pieces of hardware connected:
  -MacBook Pro
  -Mac Mini
  -Apple TV
  -iPhone, iPad, and iPod Touch
  My problem lies with making connections to my MacBook Pro using the Apple Remote app or Air Video.
  *The Remote app will connect just fine, but after a few days I try to connect and it will timeout.* The only thing that seems to solve this is to restart my Time Capsule. Then again Remote and Air Video work fine on my local network for a few days, then they will start timing out when they try to connect.
  Interestingly, when I try to re-pair my Remote with iTunes when it if failing to connect, the remote will appear in iTunes, but when I enter the passcode to pair it will similarly timeout. So, I know my remote and iTunes see each other, but they won't seem to "talk."
  Any help would be greatly appreciated!

  Thanks, just wanted to check to eliminate the most obvious possibility.
  Sorry, no other ideas at this time. Perhaps someone else here will have a suggestion, though this not being an iTunes issue, per se, you might have more luck in the Apple TV, Time Capsule or MBP forums.
  Regards.

• MY BBM , BLACKBERRY WORLD, FACEBOOK APPS AND OTHER IM APPS STOPPED WORKING ON MY HOME WiFi CONNECTION

  Please I am wondering if anyone will have solution to my BBM problem , I am presently using my blackberry on home wiFi connection as I have ended my contract with my network provider(virgin). The BBM, IM applications ( yahoomessenger, window live, AIM, talk) ,my facebook apps and blackberry world were all working fine even with different wifi connection. But recently I am unable to use all these above mentioned applications more importantly my BBM as I needed it badly to communicate. Initially , I thought it was the internet connection at home but I found out the browser and two other applications I have are working perfectly. I don't know if anyone will have an idea of any solution to this problem. 
  I would appreciate any effort towards solving this problem.
  Thanks

  BBM requires an active BlackBerry data plan. As for others, try downloading the latest version of App World from www.blackberry.com/appworld and then update your Facebook and Twitter apps, most should work via WiFi only.

• SQL Injection with CF7 and MS SQL 2005

  I looked through a bunch of SQL injection posts and couldn't
  find a definitive answer to this...
  Let me introduce this by saying that I know I should be using
  CFQUERYPARAM with EVERY CF variable in a CFQUERY tag. No excuses.
  But for a necessary quick fix, if I only use it for numeric
  DB fields, is SQL injection still possible (using MS SQL 2005)?
  I've yet to successfully perform SQL injection while manipulating a
  variable surrounded by single quotes in the query.
  Scenario 1) select * from users where user_id=#form.user_id#
  ...is a gimme to hack, but
  Scenario 2) select * from users where
  password='#form.password#' ...is another story
  Has anyone ever heard of a successful SQL injection attack in
  a Scenario 2 situation.
  I'll fix everything up eventually, but I've got a Pen Test
  coming up soon, and a lot of raw code to review.
  Thanks

  quote:
  Originally posted by:
  Dan Bracuk
  What others can do is more relevent than what we think. When
  in doubt, test.
  very true, although my final solution went more like, "When
  in doubt, manually add about 600 cfqueryparams in 406 cfquery
  tags".

• SQL Injection Blocker

  Hello all-
  I've got a server with a huge number of ColdFusion templates
  (over 10,000) which I really need to protect agains SQL Injection.
  I know that CFQUERYPARAM is the best way to do this. I'd love
  to do it that way, but with so many pages, and so many queries it
  would take weeks/months to fix the queries, then test to make sure
  I didn't screw something up.
  So, I've come up with a plan that I wanted to get some input
  on.
  Currently, I have a page on my server that is included in
  almost every page that runs. It is a simple page that I can modify
  to change the status of my systems in the event of a database
  changeover, or some other sort of failure. (The pages still run,
  but no updating is allowed, only reading)
  Okay, so on this page which is always included, I was
  thinking about analyzing the variables that come over. I was
  thinking about looking for things that looked like a SQL injection
  attack and blocking the page from running.
  I wanted to know if this would work- anyone have ideas? This
  would be great because I could protect the entire server in about
  an hour. But, I don't want to give myself a false sense of security
  if this won't really do the job.

  First, here are some simple things you can do to protect all
  pages before you follow the other advice and plans in this thread:
  In CF administrator, click on your datasources and then the
  "Advanced" button.
  There you will uncheck all but the read and stored procedure
  and (possibly) write permissions. "Drop", "Create", etc., are
  definite no-nos here.
  If you haven't already, make one data source read-permissions
  only and refactor your code to use it everywhere except for
  carefully segregated updates, inserts and deletes.
  Now, in SQL Server itself, remove all permissions from the
  users that CF uses except for data_reader and (selectively) data
  writer and exec permissions on any procedures or functions you use.
  In SQL server, setup at least two CF users. One, should have
  only the data_reader permission (plus any read-only stored
  procedures).
  Find articles, such as this one:
  http://www.sqlservercentral.com/columnists/bknight/10securingyoursqlserver.asp,
  and follow their advice, start with locking down xp_cmdshell.
  These measures require little or no CF code changes but will
  block all but the most determined and skilled hackers. You still
  need to follow Adam's advice though.
  BTW, Dan is very wrong, ALL DB's are vulnerable to SQL
  injection.
  SQL server is not even the most vulnerable anymore (Studies
  show that Oracle now has that "honor").

• Sql injection update signature

  hi,
  we are currently comparing cisco ips to tippingpoint, i have a cisco ips in front and tippingpoint in the back, so we are checking if cisco ips is missing on a lot of stuff , and currently it is missing on SQL injection attacks and cross scripting, which seems to be the weak point in cisco ips, its missing a lot on sql injection signatures, i mean why a simple update/set command does not have a signature ?

  Thank you for your reply, do you know how to get in contact with the ips signature engineers at Cisco , i would like to share my comparaison with them as well as an attack that is passing all sql injection signature containing update but with u%pdate and the sql database is interpreting it as a normal update.

• SQL Injection concerns

  I have been studying sql injection attacks and the
  mysql_real_escape function.
  I read the adobe technote about sql injection and it noted
  that Dreamweaver 8.0 incorporates anti-sql injection code to
  prevent attacks and it specifically refers to Add, Delete, and
  Update; Filtered Recordsets, and Login User server behaviors. Can
  anyone please confirm this to put my mind at ease?
  The Search form and results page uses a filtered recordset,
  so can I presume that it is guarded from attack?
  Can you tell me of any areas that I need to add anti-sql
  injection code myself?
  Thank you so much for your help!

  EviePhillips wrote:
  > The code on this second page (the one where the form
  posts to) ECHOs the form
  > variables. Do I need to enter the
  mysql_real_escape_string around each of the
  > ECHOed posted form variables?
  No, mysql_real_escape_string() is used only when inserting
  user input
  values into a database. You cannot use it without a database
  connection.
  However, you should pass the values to htmlentitities()
  before
  displaying them in your page. You can do this by accessing
  the Format
  menu in the Dynamic Text dialog box. After using the Bindings
  panel to
  insert the value, switch to the Server Behaviors panel, and
  double-click
  the Dynamic Text entry to open the dialog box.
  > I am then going to use the ADD Record server behavior to
  add the data to my
  > database from this page, which based on your counsel is
  fully protected from
  > sql injection.
  >
  > You are very kind for sharing your knowledge!
  > EP
  >
  David Powers, Adobe Community Expert
  Author, "The Essential Guide to Dreamweaver CS4",
  "PHP Solutions" & "PHP Object-Oriented Solutions"
  http://foundationphp.com/

• Home sharing is not working in apple tv after upgrading apple tv to 4.2.2.  I've had apple tv working just fine for some time now and after upgrading, it stop working and prompts me in Apple tv to turn on home sharing in Itunes.  It's on.

  It asks me, in apple tv when I go to my "Library" to turn on home sharing.  It's on.  When I turn it off and back on I can access my itunes stuff fine for a day or two and then it doesn't work again.  I've tried unplugging appletv, reboot the router (att uverse), and then plug in apple tv again and it doesn't help.  it's still give me the message.  the only thing that works, temporarily, is to turn off home sharing and turn it back on.
  I'm using itunes version 10.5.0 on windows 7.  can someone help me with this?   I can't run up and down the stairs all the time.  I have bad knees and other conditions that stop me from doing that.  Please help.
  Thanks.
  Jim.

  Hey all,
  I've been having similar problems so I put a packet analyzer on the network to see what's really happening. (Apologies in advance if this post is too techno-babbly...)
  Some background:
  How do Apple devices find each other over the network?
  iTunes with home shaing turned on sends out a message to a special IP address called a multicast (224.0.0.251, in this case.) All your Apple devices listen to this multicast address and respond over that same address. This process applies to iTunes, AppleTV and Apple Remote at least (those are the things I've been testing with.)
  How do Apple devices communicate with each other once they're found?
  Once they find each other, they establish a Transmission Control Protocol (TCP) communication session. This connection is only between two devices. In this case, iTunes and AppleTV or Apple Remote and AppleTV. The TCP session is how data gets transferred between devices.
  The problem:
  I captured the protocol traffic between my PC and AppleTV first with the firewall software turned off. In my case, I use Norton 360. What I see is iTunes and AppleTV communicating over the multicast address every 100 seconds. My iTunes usually 'disappears' from AppleTV and the Apple Remotes within about 5 minutes so I left the firewall off for half an hour and everything worked fine. I turned the firewall software back on and then restarted everything. iTunes then did the device discovery and all the devices found each other. Then, after a period of about five minutes of inactivity, the multicast discovery protocol stopped being sent by my PC. Why? I really don't know. From watching the apple protocol's timing, contents and behavior, I see nothing wrong with the implementation. I've done troubleshooting on other location-based multicast protocols for work and have seen some dumb things but Apple's protocol is done correctly and behaves exactly as I would expect.
  The solution:
  I put a rule into my firewall software explicitly allowing the multicast IP address and also the local subnet that my devices use. I then moved the new firewall rules to the top of the list to ensure that they will be 'hit' before any of the other rules in the list. After that, I left the firewall on and tested for a while then left everything idle for an hour. When I came back, everything still worked. I would suggest that replacing your firewall software won't necessarily help you here. You just need to make sure that the rules for the Apple stuff are put in manually and are at the very top so that another deny rule in the list doesn't trigger before the new permit rules. Hopefully it goes without saying but doing the above leaves your PC completely wide open on the local network so, if you use wireless, please be sure to use encryption on it.
  Hope that helps...

• SQL Injection and cfqueryparam

  I was told to look into <cfqueryparam> to assist in
  fighting sql-injection
  and it makes perfect sense, up until I thought of a different
  scenario...
  This tag seems great when you are dealing with numbers or
  text that you can
  restrict the number of characters, but what if you have a
  textarea that
  allows for a large amount of text to be entered? I.E. a
  search field for
  records that uses keywords.
  How you stop someone from entering damaging sql into an area
  that accepts
  this?
  Thanks for any education.
  Wally Kolcz
  MyNextPet.org
  Founder / Developer
  586.871.4126

  WebDev wrote:
  It works because <cfqueryparam ....> tells the DBMS
  that this data is a
  value NOT SQL. The DBMS will then never process it as SQL.
  When you
  write the SQL and Values straight into the code, then the
  DBMS does not
  know what is what and assumes it all must be SQL.
  An Example...
  <cfquery ....>
  SELECT aField FROM aTable WHERE aField = '#aValue#'
  </cfquery>
  With this code, ColdFusion process the entire body of the
  <cfquery...>
  tag into a string and sends that entire string to the DBMS as
  SQL. The
  DBMS then processes what it was given. If somebody can modify
  the
  aValue variable to change the SQL string - that is what is
  processed.
  <cfquery ...>
  SELECT aField FROM aTable WHERE aField = <cfqueryParam
  value="#aValue#"...>
  </cfquery>
  With this code ColdFusion process the SQL and the queryParam
  as separate
  things. It sends the DBMS the SQL with parameters and a list
  of values
  to be used in those parameters. The DBMS knows the parameters
  are not
  SQL and will not process it as SQL and if the parameter
  contains SQL it
  will just be used as a value and not parsed.
  FYI... That is how <cfqueryparam...> can improve
  performance. By
  knowing what parts of the SQL are variables, it can cache the
  SQL and
  just use different variables when they are passed to the
  DBMS.
  HTH
  Ian

• SQL injection and SQLFury

  We have recently had an SQL injection attack on our site.  The web form in question was calling a second cfm with a post command.  The second cfm did the actually db insert. After extensive research and revamping of the web form I believed that I had shut it down rather convincingly. I did the following to secure the form:
  - implemented the cfqueryparam tag on all applicable fields being entered in the form
  - introduced a hidden, random numeric variable for verification before completing the insert; it tests for its existence and if it is numeric
  - consolidated the two cfms into one page so the entry and insert are done in one cfm (to eliminate injection going directly thru insert cfm)
  However, I am still getting intermittent injection errors into my MS SQL table.  I don't believe it is getting in through the revised web form and am at a loss as to how it's getting through.
  I am now at the point that I am looking for a utility that will scan through my site or specific pages to identify SQL injection vulnerabilties.  I found something called SQLFury and downloaded it; however, there is literally no documentation with it and I have no idea how to run it.  I've researched the web and found no assistance on how to use this utility.  Is anyone familiar with this utility or does anyone know of any other utility that will assist with validating ColdFusion methods?
  Any assistance would be very much appreciated.

  Ian:
  Thanks for the information.  The utility is helpful and confirmed for me that my page was secure from SQL injection.  The additional insight you provided has lead me to discover that my issue was not an SQL injection, but a Cross Scripting attack.  A web vulnerability utility from Acunetix helped me determine that.
  Thanks again,
  ...Wes

• Preventing SQL injection - can't use cfqueryparam in this case

  Hello. I have a form with a checkbox next to each row.  If the user checks some boxes, then clicks the "Delete" button, I want to execute the following query, but I want to protect it from sql injection attacks:
      <cfquery datasource="#application.mainDS#">
          delete userMessages
          where messageID in (#form.messageID#)
      </cfquery>
  As written above, it works fine.  But if I try to protect this code with <cfqueryparam value="#form.messageID#" cfsqltype="cf_sql_varchar">, I get this error: "Conversion failed when converting the varchar value '7,21' to data type int" (7 and 21 are the messageID's to be deleted).  Obviously the comma prevents conversion to an integer.
  If I use cfsqltype="cf_sql_integer", then the string gets converted to a single integer (in this case 40015, which is nonsense).
  I tried passing form.messageID to a stored procedure, but I seemed to have the same problem there.  I could run the query in a loop where I just delete one row at a time, but I'd like to run just one query if I can do it safely.  Any ideas?
  Thanks.
  PK

  I agree that you should not do an SQL "DELETE" from a web page.  Instead, use "soft deletes," where you contrive for there to be a deleted_flag (boolean), and maybe deleted_by (varchar) and deleted_timestamp.  Then create an SQL "VIEW" which automagically omits the "deleted" records.
  It is also a very good idea to refer to the records using a nonsensical, made-up "moniker" instead of actual record-IDs.  You see, "if I am a nasty person and I know that there is a record #123456, then I'll bet I know the record-IDs of 123,455 other records, too."  But if you refer to the record as "QZB0E9S" and the next record-id in the list is "4Q_9RJPEM2" then it won't take me long to realize that I can't get too far, not even by brute-force.  (And if I see that the record-IDs seem to have verification tags, like "QZB0E9S:4E396", then I know that I am really scroo'd in my hacking-attempt because even if I did somehow million-monkeys my way into a valid record-ID, I've got no earthly idea how to come up with the tag.
  It pays to code defensively, like this.  And it doesn't really take more time.  Without question, always use <cfqueryparam> !!