Reputation: 2240
Is this an example of an SQL Injection Attack?
I developed a web site for a client where they will post images of their merchandise online. The url is www.domiainname.com/item-details.cfm?sku=125. Someone tried browsing to www.domiainname.com/item-details.cfm?sku=125%20and%203=3 which produced and error in which I'm notified.
I've also received error reports of:
item-details.cfm?sku=1291+or+1=@@version--
item-details.cfm?sku=1291'+or+1=@@version
item-details.cfm?sku=1291+or+1=@@version
The last three examples are definitely of someone trying to get into the system, right?
If we converted this to be stored procedures, would that reduce or eliminate the risk of insertion attacks?
Upvotes: 9
Views: 5169
Answers (3)
Reputation: 662
Yep, someone attempted SQL injection. If you check the sku variable correctly in your code, this will not do any harm.
Upvotes: 0
Reputation: 61812
Yes, it appears that someone is being malicious.
Using cfqueryparam will prevent SQL-injection attacks. When in doubt (and it's CF), ask Ben:
SQL Injection Attacks, Easy To Prevent, But Apparently Still Ignored
Example:
<cfquery ...>
SELECT *
FROM Products
WHERE SKU=<cfqueryparam value="#URL.SKU#" cfsqltype="CF_SQL_INTEGER">
</cfquery>
Upvotes: 8
Related Questions
- How to counter this SQL Injection risk (Coldfusion)?
- ColdFusion sql issue
- Coldfusion SQL injection? failing a web application inspection
- ColdFusion and Oracle SQL Injection Example
- How do I prevent SQL injection with ColdFusion
- What kind of SQL injection is this?
- ColdFusion Query - Injection Protection
- Is this an SQL injection attack
- what does this SQL statment do? select inside insert?
- Is this Coldfusion query SQL Injection proof?