I'm cleaning up some legacy code to move to a new ...
# sqlb
Brian
03/29/2023, 2:48 PMI'm cleaning up some legacy code to move to a new server, including adding cfqueryparam tags where they don't exist. I just into an instance where they are passing the entire query as a URL parameter. Is there any way to secure this and is there any better open door for SQL injection that this?
😲 3
p
Patrick
03/29/2023, 3:08 PMUhh rewrite entirely! Who passing a query freely in as a param to execute any sort of sql they want. Thats a vulnerability hell.
💯 2
b
bdw429s
03/29/2023, 3:46 PMYeah, there's no good "fix" for that.
bdw429s
03/29/2023, 3:46 PMIf it were maybe just the ORDER BY, then you could parse it and check it for valid columns, etc and use it to build the real order by with a switch statement, etc
bdw429s
03/29/2023, 3:46 PMBut actual SQL is no good
t
Tim
03/29/2023, 3:52 PMyou could run that query with a separate data source with a user that has read-only permission (assuming it's a select query that's getting passed...) That would at least limit the damage that could be done while it's being refactored for real.
b
bdw429s
03/29/2023, 3:53 PMMost of the SQLi attacks I've seen actually use SELECTs so read would be just fine by them 🙂
Copy code
?order_name=wood' UNION ALL SELECT password, pin, ssn from userst
Tim
03/29/2023, 3:55 PMright -- it limits the damage to data theft, instead of data theft AND corruption.
👍 1
c
chris_hopkins
03/30/2023, 3:11 PMthere are a few commnity projects that can help but by no means are they a 100% protections + many cloud WAF providers do a "generally" good job at chopping these out
chris_hopkins
03/30/2023, 3:11 PM2 Views