SQL injection safeguard and implicit action protection

Posted by Jason Durham | Tags: ColdFusion , ColdBox

During the framework initialization or even on each request, there are certain methods that ColdBox uses to get ready to do work.  Those methods general prepare objects, variables for views, session information, etc.  A list of the standard methods are below.

  • onAppInit()
  • onRequestStart()
  • onSessionStart()
  • onRequestEnd()
  • onSessionEnd()
  • onExeception()
  • prehandler()
  • postHandler()
  • init()
  • onMissingAction()

The architecture of the framework doesn't allow for us to set access="private" for all of these events.  Therefore, I thought it would be best to write my own mechanism to prevent these methods from being invoked via the URL.  At the same time, it seemed like a good idea to port over a function I've been using written by Matt Quackenbush to help prevent SQL injection. 

This interceptor has one required property for it to function.  With the current rate of new features being added to ColdBox, I wanted this to be flexible to run on whatever version of ColdBox you like.  Therefore, it requires a 'badActions' property to be specified in coldbox.xml.cfm containing a list of what actions you want to protect.

Download the cleanURL.cfc interceptor

December 11, 2008

2 responses so far ↓

Sana - Dec 11, 2008 at 7:06 PM

Nice work Jason.

I like to trap sql injection with mod_rewrite rules :)

Jason Durham - Dec 11, 2008 at 7:22 PM

Thanks Sana. If you take a look at my blog post about the URL rewriting you helped me with, you'll see I mentioned that at the bottom. :) However, I wrote this interceptor before I started playing with URL rewriting and opted just to leave it. I suppose I'm wearing two condoms. :o)

http://blog.durhamcons.com/post.cfm/url-rewriting-for-iis7-and-coldbox

Leave a Comment

Leave this field empty: