如何以编程方式清理 ColdFusion cfquery 参数?

发布于 2024-07-05 07:43:45 字数 289 浏览 11 评论 0原文

我继承了一个大型旧版 ColdFusion 应用程序。 这里有数百个一些sql#variable#需要按照以下方式参数化的语句:这里有一些 sql

如何以编程方式添加参数化?

我曾考虑过编写一些正则表达式或 sed/awk'y 之类的解决方案,但似乎有人在某个地方解决了这样的问题。 自动推断 sql 类型可获得奖励积分。

I have inherited a large legacy ColdFusion app. There are hundreds of <cfquery>some sql here #variable#</cfquery> statements that need to be parameterized along the lines of: <cfquery> some sql here <cfqueryparam value="#variable#"/> </cfquery>

How can I go about adding parameterization programmatically?

I have thought about writing some regular expression or sed/awk'y sort of solution, but it seems like somebody somewhere has tackled such a problem. Bonus points awarded for inferring the sql type automatically.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(5

鲜肉鲜肉永远不皱 2024-07-12 07:43:46

请记住,您可能无法使用解决所有问题。

我见过许多示例,其中按字段名称排序在查询字符串中传递,这是一个需要解决的稍微棘手的问题,因为您需要以更“手动”的方式验证它。

Keep in mind that you may not be able to solve everything with <cfqueryparam>.

I've seen a number of examples where the order by field name is being passed in the query string, which is a slightly trickier problem to solve as you need to validate that in a more "manual" way.

落叶缤纷 2024-07-12 07:43:46

这里引用了一个脚本:http://www. webapper.net/index.cfm/2008/7/22/ColdFusion-SQL-Injection 将为您完成大部分繁重的工作。 您所要做的就是检查查询并确保语法能够正确解析。

没有理由不使用 CFQueryParam,除了它更加安全之外,它还可以提高性能,并且是处理基于字符的列类型中带引号的值的最佳方法。

There is a script referenced here: http://www.webapper.net/index.cfm/2008/7/22/ColdFusion-SQL-Injection that will do the majority of the heavy lifting for you. All you have to do is check the queries and make sure the syntax will parse properly.

There is no excuse for not using CFQueryParam, apart from it being much more secure, it is a performance boost and the best way to handle quoted values in character based column types.

潦草背影 2024-07-12 07:43:46
<cf_inputFilter
            scopes = "FORM,COOKIE,URL"
            chars = "<,>,!,&,|,%,=,(,),',{,}"
            tags="script,embed,applet,object,HTML">

我们用它来抵御最近的 SQL 注入攻击。 我们将其添加到我们站点的 Application.cfm 文件中。

<cf_inputFilter
            scopes = "FORM,COOKIE,URL"
            chars = "<,>,!,&,|,%,=,(,),',{,}"
            tags="script,embed,applet,object,HTML">

We used this to counteract a recent SQL injection attack. We added it to the Application.cfm file for our site.

疧_╮線 2024-07-12 07:43:46

我怀疑是否有一个解决方案能够完全满足您的需求。 我看到的唯一选择是编写自己的递归搜索来为您构建报告,或者使用人们上面列出的应用程序/脚本之一。 基本上,您将必须编辑每个页面或批准所有自动更改。

I doubt that there is a solution that will fit your needs exactly. The only option I see is to write your own recursive search that builds a report for you or use one of the apps/scripts that people have listed above. Basically, you are going to have to edit each page or approve all of the automated changes.

回心转意 2024-07-12 07:43:45

RIAForge 上有一个查询参数扫描器可以为您找到它们:http://qpscanner.riaforge.org/

There's a queryparam scanner that will find them for you on RIAForge: http://qpscanner.riaforge.org/

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文