It is widely known that ColdFusion protects developers from string based SQL injection attacks. This is because the ColdFusion server automatically escapes single quoutes (single quotes are a common SQL injection component). However, if you are using MySQL with ColdFusion, you may want check your MySQL version and configuration. First of all, remember that using cfqueryparam will protect you from SQL injection, even from this vulnerability I am talking about.In the default configuration, MySQL will allow you to escape single quotes with a backslash. This is intended to help you use single quotes as part of your query value, but it can open you to SQL injection attacks. Read Mark Kruger’s blog entry on the subject for all the gory details.To setup your MySQL server to prevent this, you first need to make sure you are patched up to versions 5.0.22 (or 4.1.20 if you are still running MySQL 4). Then you need to configure the NO_BACKSLASH_ESCAPES option in your MySQL server. There are various ways to do this (listed in this article), but I like just adding it to the my.cnf file, to make sure this option always runs when the server starts, regardless of how it is started. So open up your my.cnf file (or my.ini) and add this line:
sql-mode=NO_BACKSLASH_ESCAPES
I am running Linux for my web server, so I added this option to the [mysqld] section of the my.cnf file. Then you just need to restart your MySQL server, and you’re good to go.By the way, this NO_BACKSLASH_ESCAPES option was added as a security “fix” to prevent SQL Injection. So even if you use cfqueryparam all over the place (as you should), you will still want to turn this option on to be sure you’re safe.
