![]() ![]() ![]() |
||
|
To reduce round trips between the client and the database server, many SQL database servers permit the client to submit multiple SQL statements in a single request, separated by a semicolon (;). For these database managements systems, the following SQL request is valid:
DELETE from trips where tripLocation = 'China'; SELECT tripName from trips
This request might be an efficient way to list the trips that remain after the database management system removes the China trip. Problems arise when the SQL statement is built dynamically.
In the Trip Maintenance application, when the client program or user passes an ID in the URL that calls the Trip Detail page, the page displays the relevant trip information. The following code builds the correct WHERE clause that supports this behavior:
<cfif IsDefined("URL.ID")> WHERE tripID = #URL.ID# </cfif>
If a user called the Trip Detail page using the following statement:
http://localhost/cfdocs/getting_started/my_app/tripdetail.cfm?ID=24;DROP+trips
the SQL database management system executes the proper SQL SELECT statement, and then immediately erases the Trips table from the database.
To ensure that your application is protected from such an attack, you can exploit the fact that the ID must be a numeric value. The CFML Val
function returns the numeric value at the beginning of a string expression. You can use the Val
function as follows:
<cfif IsDefined("URL.ID")> WHERE tripID = #Val(URL.ID)# </cfif>
If nonnumeric data is passed within the URL ID field, the Val
function returns 0, and the trip with ID 0 appears (if one exists). If the user enters the previously cited URL
(http://localhost/cfdocs/getting_started/my_app/tripdetail.cfm?ID=24;DROP+trips), the application ignores the non-numeric values and displays the trip information of trip ID 24.
Warning: The exercises in this tutorial ignore the dynamic SQL risk from attack. To eliminate this risk, you should use ColdFusion functions (such as Val
) to perform type checking on all URL parameters. For queries, you can also use the cfqueryparam
tag, which is explained in CFML Reference.
|
||
![]() ![]() ![]() |