Today, a page on one of my sites was getting SQL injection bombed. The site's
error handling caught the errors but the statement that threw the errors was in
a try/catch block and should not have, in my estimation, allowed an uncaught
exception to get to that level. Has anyone experienced any anomalies when using
<cftry><cfcatch> with a Query of Queries inside of it? It could be that I'm
missing something extremely fundamental but I just don't see it. This site is
on CF10 (with all updates) and IIS7.5. Any insight is appreciated.
Sidenote:
I am thinking that the qoq() method in the lib() object could use a rewrite but
this site's framework is obsolete and that is not a viable option.
The code in question:
<cftry>
<cfsilent>
<cfscript>
param name="url.id" default="0";
// added this portion as a workaround to solve the sql
injection problem, still can't figure out why the exception was not caught
if(!isNumeric(url.id) || url.id < 0)
url.id=0;
// end workaround
variables.today = dateFormat(now(),"yyyy-mm-dd");
variables.qXML =
request.dalib.returnOvationsXML(expandPath("/import.xml"));
variables.qXML =
application.com.lib.qoq(variables.qXML,"eventDateBegin >= '#variables.today#'");
// sql injection throws error here
variables.xmlDetail =
application.com.lib.qoq(variables.qXML,"eventID = #url.id#");
</cfscript>
</cfsilent>
<cfif variables.xmlDetail.recordCount gt 0>
<cfoutput query="variables.xmlDetail">
<!--- output stuff here with successful query and
recordcount --->
</cfoutput>
<cfelse>
<!--- return html indicating no records found --->
</cfif>
<cfcatch type="any">
<div class="error"><h4>We're sorry</h4>
<p>Something went wrong while trying to view your selection.
Please try again later.<br />
</div>
</cfcatch>
</cftry>
Thank you,
Troy Jones
Technical Manager
Third Wave Digital
1841 Hardeman Ave.
Macon, GA 31201
[email protected]<mailto:[email protected]>
www.thirdwavedigital.com<http://www.thirdwavedigital.com>
