Saturday, September 13, 2008
SQL Injection Nonsense
I know a whole gobs of blogs have been talking about the SQL injection issues and all the fun stuff recently. I don't generally get into these security discussions as they're really not my focus. Don't get me wrong it's an important subject but I feel like there are plenty of other people out there tooting this horn and presumably know a crap some more than I on the subject. I'll be honest for the last 4+ years I have worked completely inside our firewall on the intranet so security is a bit different for us. One thing I keep finding myself questioning though is how many of us are putting ourselves at risk unnecessarily? I'm not talking about not using cfqueryparam here I am talking about the datasource and the database itself. Is your CF server using an account with the appropriate security level? Lets be honest here 80% of us are using sa or some account with entirely too high of privileges for what it is being used, what a dead brained move. If you are using sa or some other admin level account stop it and you stop half the threat. You don't even need to change code just the data source in the Admin. Even if for some reason your web app needs to control the database at some crazy level create specialized datasources for that section of the application. Datasources that are used on a publicly accessible portions of a website should be restricted as much as possible.