Validate form input to protect against SQL Attack

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • sc0705837
    New Member
    • Feb 2009
    • 3
    #1

    Validate form input to protect against SQL Attack

    Hi there I am trying to get my action page of the website I'm building to check to see if the form input values are empty, if they are not it will then check to see if any of the form inputs contain any SQL. I have read in some other places that you can use cfparam or cfqueryparam to stop this but I don't really know how to use them.

    This is the code:

    Code:
    <cfif len(form.username) EQ 0 OR len(form.password) EQ 0>
            <p>You did not enter a username or password</p>
            <p><a href="index.cfm">Please go back and try again</a></p>
          <cfelse>
            <cfquery name = "login" datasource="blah">
            SELECT login, password
            FROM member
            WHERE login = '#form.username#' AND password = '#form.password#'
            </cfquery>
            
            <cfif login.RecordCount GT 0>
              
              <cfif '#form.username#' EQ #login.login# AND '#form.password#' EQ #login.password#>
                  <p> Your name is right...</p>
                  <cfset session.memberLogin = #form.username#>
              <cfelse>
                  <p>Sorry incorrect username or password, please try again</p>
                  <cflocation url="index.cfm">
              </cfif>
                        
              <cfoutput>
                  <cfif session.name IS "admin">
                      <cflocation url="index.cfm">
                  <cfelse>
                      <cflocation url="profile.cfm?un=#session.name#">
                  </cfif>
              </cfoutput>    
              
            <cfelse>
              <p>Sorry you entered an incorrect username/password</p>
              <p><a href="index.cfm">Try again here!</a></p>
            </cfif>
            
        </cfif>
    Any help would be awesome, thanks.
    Tags: None
    • jKara
      New Member
      • Nov 2008
      • 5
      #2
      Originally posted by sc0705837
      ....if they are not it will then check to see if any of the form inputs contain any SQL. I have read in some other places that you can use cfparam or cfqueryparam to stop this but I don't really know how to use them.

      Code:
                  <cfquery name = "login" datasource="blah">
            SELECT login, password
            FROM member
            WHERE login = '#form.username#' AND password = '#form.password#'
            </cfquery>
      It is cfqueryparam. It does not check to see if the inputs contain SQL, but rather _helps_ prevent malicious sql from being executed in the query by enforcing data type rules.

      Using cfqueryparam is very simple. The most basic form requires only: "value" and "cfsqltype" . The cfsqltype is a string value that represents the data type of your table column. The correct values to use are determined by database type, but some examples are: cf_sql_varchar, cf_sql_integer, etc...

      You can find more information about cfqueryparam it in the online documentation
      404 Not Found
      http://livedocs.adobe.com/coldfusion/8/htmldocs/Tags_p-q_18.html


      Code:
      ...
FROM member
WHERE 
login = <cfqueryparam value="#form.username#" cfsqltype="cf_sql_varchar"> AND password = <cfqueryparam value="#form.password#" cfsqltype="cf_sql_varchar">

        Comment

        • sc0705837
          New Member
          • Feb 2009
          • 3
          #3
          Right, thanks alot for the help, will just go set this up. Its only a student project so this minimal amount of protection should be good enough.

          Thanks again!

            Comment

            Previous template Next
            Working...