Yesterday I had the pleasure of fixing a site that got hit with SQL injection. The injection that was done was quite elaborate and was quite harmful. The injection managed to alter data in multiple tables. Then when the data was read out it caused havoc on the front end.

We had to write some elaborate sql to reverse the damage and try and restore the system. In the end we ended up loosing a ton of data. The damage done was so extensive that we were not able to repair everything. We could have just gone to a backup but that would have caused more issues than it solved.

Once the damage was fixed I then got to work on preventing it. Funny thing was that the prevention took seconds to implement. The problem was that the CF database user had to much rights. It took just seconds to run some update statements and reduce the rights that CF had. Once done the same injection attempt that messed it all up to begin with failed.

So, the moral of the story... 1: Make sure the person setting up the database sets rights correctly. 2: Never assume the database guy did his job. 3: Follow best practices and do your best to prevent this on the CF side.

Till next time...