Protect Dreamweaver's ColdFusion server behaviors from SQL injection attacks.
Security risk of SQL injection attacks
Some databases let you send multiple SQL statements in a single query. Because of this, there are potential security risks when you pass parameters in a query string to a dynamically generated database query. Hackers might try to modify URL or form variables in a dynamic query by appending malicious SQL statements to existing parameters. This is often referred to as a SQL injection attack. Some of the server behavior code created by Dreamweaver should be modified to reduce the risk of SQL injection attacks. For more background information on SQL injection, see this Wikipedia article.
Note: The issue described in this article was fixed in the Dreamweaver 8.0.2 Updater.
Solution: Update the server behaviors
When you let a query string pass a parameter, ensure that only the expected information is passed. Adobe created a Dreamweaver 8.0.2 Updater that reduces the risk of SQL injection attacks. These fixes are incorporated into all subsequent releases of Dreamweaver. After updating Dreamweaver 8, you will need to reapply the server behaviors to the pages that use them, and then redeploy those pages to your server.
The remainder of this document describes how to manually edit Dreamweaver MX 2004 code to prevent SQL injection attacks with the ColdFusion server model. Server behaviors that are vulnerable to these attacks are listed below, along with the fixes:
Recordset with a filter
Unfiltered recordsets do not need to be modified, but filtered recordsets do. In the example below, a Dreamweaver MX 2004 recordset named "Recordset1" is filtered by an ID value passed in from a URL parameter. The highlighted code below is what needs to be changed:
<cfquery name="Recordset1" datasource="cafetownsend"> SELECT * FROM COMMENTS WHERE COMMENT_ID =#URL.COMMENT_ID#</cfquery>
To protect the recordset from SQL injection attacks, use the cfqueryparam tag within the cfquery tag that contains the SQL SELECT statement. The cfqueryparam tag will verify the data type of the query parameter and help secure your databases from unauthorized users. The line in yellow is the modified secure code:
<cfquery name="Recordset1" datasource="cafetownsend"> SELECT * FROM COMMENTS WHERE COMMENT_ID =<cfqueryparam value="#URL.COMMENT_ID#" cfsqltype="cf_sql_numeric"></cfquery>
Insert Record server behaviors and Record Insertion Form Wizard
To protect the recordset from SQL injection attacks, use the cfqueryparam tag within the cfquery tag that contains the SQL INSERT statement. The cfqueryparam tag will verify the data type of the query parameter and help secure your databases from unauthorized users.
Original code. The highlighted code below is what will need to be changed:
<cfquery datasource="cafetownsend"> INSERT INTO COMMENTS (FIRST_NAME, LAST_NAME, TELEPHONE) VALUES (<cfif IsDefined("FORM.textfield1") AND #FORM.textfield1# NEQ "">'#FORM.textfield1#'<cfelse>NULL</cfif> ,<cfif IsDefined("FORM.textfield2") AND #FORM.textfield2# NEQ "">'#FORM.textfield2#'<cfelse>NULL</cfif> ,<cfif IsDefined("FORM.textfield3") AND #FORM.textfield3# NEQ "">'#FORM.textfield3#'<cfelse>NULL</cfif> )</cfquery>
Modified secured code:
<cfquery datasource="cafetownsend"> INSERT INTO COMMENTS (FIRST_NAME, LAST_NAME, TELEPHONE) VALUES<cfif IsDefined("FORM.textfield1") AND #FORM.textfield1# NEQ ""><cfqueryparam value="#FORM.textfield1#" cfsqltype="cf_sql_clob" maxlength="50"><cfelse>''</cfif> ,<cfif IsDefined("FORM.textfield2") AND #FORM.textfield2# NEQ ""><cfqueryparam value="#FORM.textfield2#" cfsqltype="cf_sql_clob" maxlength="50"><cfelse>''</cfif> ,<cfif IsDefined("FORM.textfield3") AND #FORM.textfield3# NEQ ""><cfqueryparam value="#FORM.textfield3#" cfsqltype="cf_sql_clob" maxlength="20"><cfelse>''</cfif> )</cfquery>
Note: Choose the appropriate cfslqtype and maxlength values for your data.
Update Record and Record Update Form Wizard
The Update Record server behavior and Record Update Form Wizard require a combination of the fixes above. First, look for the cfquery that contains the SQL SELECT statement and modify it as described in Recordset with a filter. Then, look for the cfquery that contains the SQL UPDATE statement and modify it as described in Insert Record server behaviors and Record Insertion Form Wizard.
Delete Record server behavior
The Delete Record server behavior modification is similar to the one for Recordset with a filter.
Original code:
<cfquery datasource="cafetownsend"> DELETE FROM COMMENTS WHERE COMMENT_ID=#URL.COMMENT_ID#</cfquery>
Modified secure code:
<cfquery datasource="cafetownsend"> DELETE FROM COMMENTS WHERE COMMENT_ID=<cfqueryparam value="#URL.COMMENT_ID#" cfsqltype="cf_sql_numeric"></cfquery>
Note: Choose the appropriate cfslqtype and maxlength values for your data.
Log In User server behavior
To fix the Log In User server behavior code, look for the cfquery tags and add cfqueryparam tags.
Original code:
<cfquery name="MM_rsUser" datasource="cafetownsend"> SELECT FIRST_NAME,LAST_NAME FROM COMMENTS WHERE FIRST_NAME='#FORM.textfield1#' AND LAST_NAME='#FORM.textfield2#'</cfquery>
Modified secured code:
<cfquery name="MM_rsUser" datasource="cafetownsend"> SELECT FIRST_NAME,LAST_NAME FROM COMMENTS WHERE FIRST_NAME=<cfqueryparam value="#FORM.textfield1#" cfsqltype="cf_sql_clob" maxlength="50"> AND LAST_NAME=<cfqueryparam value="#FORM.textfield2#" cfsqltype="cf_sql_clob" maxlength="50"></cfquery>
Note: Choose the appropriate cfslqtype and maxlength values for your data.
Check New User server behavior
The Check New User server behavior requires that an Insert Record server behavior be added to the page first. First, look for the cfquery that contains the SQL SELECT statement and modify it as described in Recordset with a filter. Then, look for the cfquery that contains the SQL INSERT statement and modify it as described in Insert Record server behaviors and Record Insertion Form Wizard.
Master Detail Page Set
For the Master Detail Page Set application object, the changes are mainly in the recordset that Dreamweaver creates for the Detail Page. If you don't have a filtered recordset in the Master Page, then no changes need to be made to the Master Page. If you do have a filtered recordset on the Master Page, then see Recordset with a filter to update the recordset code.
For the Detail Page, look for the cfquery that contains the SQL SELECT statement and modify it as described in Recordset with a filter.
Additional information
Adobe recommends that you use the cfqueryparam tag within every cfquery tag to help secure your databases from unauthorized users. For more information, see:
- Enhancing security with cfqueryparam
- Adobe Security Bulletin: APSB 06-07 Dreamweaver Server Behavior SQL Injection vulnerability