cftopper.com

Tip: Protect your MySQL from SQL Injection

Here's an important tip for everybody using MySQL, you need to set the following option in your my.ini or my.cnf configuration file to prevent SQL injection attacks.

sql-mode=NO_BACKSLASH_ESCAPES

Before you do this, If you have a simple search on your site and a user inserts

test\'' OR 1 = 1   --

instead of just

test

The \'' will get escaped and your SQL statment will turn from something like:

WHERE variable LIKE 'test' AND userId = 55;

to something like:

WHERE variable LIKE 'test' OR 1 = 1 -- AND userId = 55;

Because -- is the start of a a comment in MySQL, the AND userId = 55 bit will be ignored.
Tags: ColdFusion | MySQL
Posted by Topper at 07:23PM Permalink Comments [2] - Leave a comment

About Topper on ColdFusion

Peter Coppinger aka Topper is a neurotic web monster who spends most of his chaotic life developing ColdFusion web applications when not drinking himself into a stupor and scheming his plans for world dominance.

Peter founded Digital Crew way back in 1999. Digital Crew run CFTagStore.com and have also produced lots of powerful ColdFusion tools like ProFlashUpload and CFMyAdmin.

I made this site to share my thoughts, tips and tools with fellow ColdFusion developers.

If your a ColdFusion developer, go ahead and subscribe to this site and in exchange i'll try to provide quality content to make it worth your while.
RSS Feed for Topper on ColdFusion

    I'm speaking at CF-United Europe!

    CFDevCon I'm going to be speaking at CFDevCon08! It's my second time speaking in front of more than 10 people so please lend your support.

    The topic is:
    Introducting TeamworkCMS and Site Engine - Building better websites in half the time or something like that..

    My ColdFusion Software

    My Blogs

    Digging

    My Work - Just Finished

    • modules.cit.ie
      Web-=based modules/programmes designer tool and database system for Cork institute of technology.
    • Teamwork Project Manager
      The top secret project is finally released. The project management app will rock your world - give it a go.
    • PMG
      New website for Project Management Group website.
    • Digital Warehouse Wholesale
      Added wholesale products to existing client website.
    • New Digital Crew documentation website
      New version of documentation.digital-crew.com using new InfinityCMS site engine. It's done now. Just add content.
    • PFH Company Webite
      New website/CMS/Newsletter System for prestigious Irish IT company.
    • Module Manager for CIT
      CIT is switching to module based courses. We are making an application for managing/submitting these modules. Gettig there.
    • Bons Secours Cork Hospital Intranet
      New Intranet for Bons Secours hospital in Cork. Considering turning this Intranet system into stand-alone product.
    • Revamping InfinityCMS
      I'm making major improvements to our content management solution, InfinityCMS. Making it faster, more powerful and easier to check into/out-of source control. Done but it's always going to be evolving.
    • BPC Update
      Minor functionality update for internal Pfizer Best Process Chemistry project.

    Archive

    Tags