ColdFusion/MySQL security vulnerability

It is widely known that ColdFusion protects developers from string based SQL injection attacks. This is because the ColdFusion server automatically escapes single quoutes (single quotes are a common SQL injection component). However, if you are using MySQL with ColdFusion, you may want check your MySQL version and configuration. First of all, remember that using cfqueryparam will protect you from SQL injection, even from this vulnerability I am talking about.

In the default configuration, MySQL will allow you to escape single quotes with a backslash. This is intended to help you use single quotes as part of your query value, but it can open you to SQL injection attacks. Read Mark Kruger's blog entry on the subject for all the gory details.

To setup your MySQL server to prevent this, you first need to make sure you are patched up to versions 5.0.22 (or 4.1.20 if you are still running MySQL 4). Then you need to configure the NO_BACKSLASH_ESCAPES option in your MySQL server. There are various ways to do this (listed in this article), but I like just adding it to the my.cnf file, to make sure this option always runs when the server starts, regardless of how it is started. So open up your my.cnf file (or my.ini) and add this line:
sql-mode=NO_BACKSLASH_ESCAPES
I am running Linux for my web server, so I added this option to the [mysqld] section of the my.cnf file. Then you just need to restart your MySQL server, and you're good to go.

By the way, this NO_BACKSLASH_ESCAPES option was added as a security "fix" to prevent SQL Injection. So even if you use cfqueryparam all over the place (as you should), you will still want to turn this option on to be sure you're safe.

Comments
>>I am running Linux for my web server, so I added this option to the [mysqld] section of the my.cnf file.

Can you explain that? I never know where (under what heading) to add anything in that file and mysql docs never tell you!

Is there anywhere that explains under which heading things go in the cnf file?
I said it in my post. You put it under the [mysqld] heading. :)
Yeah, I got that, thanks :-)

I was asking in general about how to know where to put such things in that file. I can never find any info explaining that in detail.
Um... I don't know who told you all of this, but they are REALLY full of it. you have no clue how many ColdFusion scripts I've hit against where I could inject arbitrary SQL commands dispite them using cfqueryparam.