An old client of mine recently contacted me with a problem. Their home page, several sub-pages, and the administrative section weren’t displaying properly and functionality was broken. Turns out, they were a victim of the recent swarm of SQL injection attacks.
After pulling the old code out of my repository, I discovered that I’d used CFQUERYPARAM (I won’t iterate the hundreds of articles you can find by yourself stating, “USE CFQUERYPARAM, DUMMY!!”) in all of my business logic code, so I couldn’t quite figure out what was going on. While perusing the web for other ideas, I ran across Jason Bartholme’s blog entry about preventing SQL injection attacks. He has a simple bit of code that he put in onRequestStart() so check if the keyword DECLARE was in the URL.
<cfif not structIsEmpty(URL) >
<cfloop list="#StructKeyList(URL)#" index="i">
<cfif URL[i] CONTAINS "4445434C415245">
<cfmail to="me@mysite.com" from="them@theirsite.com" subject="SQL Injection Attempt" type="html">
<cfdump var="#URL#">
<cfdump var="#CGI#">
</cfmail>
<cfabort>
</cfif>
</cfloop>
</cfif>
This worked like a charm and allowed me to see what exactly these jerkoffs were doing. Turned out I had left CFQUERYPARAM out of some queries I was running for the Contact Us page and a few product display pages. Once I added the tags, the attacks stopped.
If you’re seeing SQL injection attacks, just add the code to application.cfm or the onRequestStart() function of application.cfc to see if this is the method the attackers are using and what they are doing.
Thanks Jason!

