"Poul L. Christiansen" <plc@faroenet.fo> writes:
> I'm developing an Cold Fusion (similar to PHP) application and I have a
> security problem. When I load a page "test.cfm?articleid=5" someone can
> alter the URL to
> "test.cfm?articleid=5;create%20table%20plc%20(plc%20int2)" if the hacker
> wanted to create a table.
> The sql passed to PostgreSQL is: "select * from article where articleid
> = #Url.ArticleId#"
> Which means that anybody can pass the sql that they like to PostgreSQL
> by using ";" to separate the queries. This is not good.
> I could off course verify the input and reject it if it wasn't a number,
> but I have almost 2000 different queries with all sorts of input (yes,
> it's a big app.).
> Can't I somehow disable multiple queries pr. SQL string so that ;
> doesn't work?
No, and if you could it'd still be a pretty incomplete solution.
Consider for example
select * from article where articleid = 123
UNION select-everything-from-some-other-table.
Not to mention possible risks from invoking functions, changing SELECT
to SELECT FOR UPDATE to cause denial-of-service problems, etc.
I'd suggest validating your input if you are worried about attacks
of this nature. It's the only real defense.
regards, tom lane
