Well, I'm sure most will be glad that I am not going to try to beat this SQL Injection/cfqueryparam stuff any further into the ground. We get it now, right? Use cfqueryparam!! Unless you have a good reason not to, then use something else that will serve the purpose of creating a prepared statement for use in a query. You'll also have to do something to handle dynamic table names, dynamic sort statements, etc. These topics have been so well handled by other bloggers that I am not going to try to take it any further. Look at the bottom of the page for links to some of the best explanations.
But this post is not about SQL Injection or about <cfqueryparam> it is about having our eyes opened.
I have been very pleased to see people taking security a little bit more seriously. I think this little "rash of attacks" has been good for the community as a whole. It's time to open our eyes and see that we can't just write and release. The security plan for our applications needs to be as much a part of the project planning process as any other piece. Security should not be an afterthought.
Like I said, I am glad to see the great reaction to this from the community. People are actually starting to take these threat seriously. And that is awesome. Now, I hope the community can prepare themselves for the other threats. This SQL injection thing has been a pretty big deal, but it is by no means the only show in town. We have a lot more to worry about, and we need to handle these threats with as much vigor and attention as we have given the SQL injection threat.
If a sites is susceptible to SQL injection attacks, it is, likely, because the developer did not take the time to add cfqueryparam to queries. So I can only assume that the same developers have not taken the time to protect their applications from other attacks. Cross-Site Scripting (XSS), Cross-Site Request Forgeries (XSRF), On-Site Request Forgeries (OSRF), etc.
We need to be taking all of these threat seriously. Let's not wait for the next hacker article to cause a "rash of attacks". If your application accepts user input, and more importantly, if your application then displays that user output (even if only to the administrator), then your site is, likely, susceptible to some sort of Cross-Site or On-Site attack.
I am going to try to post some entries/articles further detailing these attacks and how we can combat them. This will require some research and testing. In the meantime, let's get those cfqueryparams in place.
I suspect that most everyone has seen these posts already. I am placing them here for archival purposes so that anyone going through my security series later will have access to good info on SQL injection.
Links to blog posts about SQL Injection and <cfqueryparam>: