disable multiple queries

Poul L. Christiansen writes:

I could off course verify the input and reject it if it wasn't a number,
but I have almost 2000 different queries with all sorts of input (yes,
it's a big app.).

Can't I somehow disable multiple queries pr. SQL string so that ;
doesn't work?

I don't know if this affects PHP apps.

It's not Coldfusion specific. It affects all web applications, regardless
of development platform that blindly plug form data into SQL queries
without checking it.

Brian
--
Brian Baquiran <brianb@edsamail.com>
http://www.baquiran.com/ AIM: bbaquiran
Work: +63(2)7182222 Home: +63(2) 9227123

I'm smarter than average. Therefore, average, to me, seems kind of stupid.
People weren't purposely being stupid. It just came naturally.
-- Bruce "Tog" Toganazzini

"Poul L. Christiansen" <plc@faroenet.fo> writes:

I'm developing an Cold Fusion (similar to PHP) application and I have a
security problem. When I load a page "test.cfm?articleid=5" someone can
alter the URL to
"test.cfm?articleid=5;create%20table%20plc%20(plc%20int2)" if the hacker
wanted to create a table.
The sql passed to PostgreSQL is: "select * from article where articleid
= #Url.ArticleId#"
Which means that anybody can pass the sql that they like to PostgreSQL
by using ";" to separate the queries. This is not good.

I could off course verify the input and reject it if it wasn't a number,
but I have almost 2000 different queries with all sorts of input (yes,
it's a big app.).

Can't I somehow disable multiple queries pr. SQL string so that ;
doesn't work?

No, and if you could it'd still be a pretty incomplete solution.
Consider for example
select * from article where articleid = 123
UNION select-everything-from-some-other-table.
Not to mention possible risks from invoking functions, changing SELECT
to SELECT FOR UPDATE to cause denial-of-service problems, etc.

I'd suggest validating your input if you are worried about attacks
of this nature. It's the only real defense.

regards, tom lane