There's been a lot of publicity, recently, about the loss of sensitive PII (Personally Identifiable Information) on the web, and legacy ColdFusion applications have been hit especially hard. Hopefully, by now, you've upgraded to the latest version of the server, but that isn't enough. You've got to start actively protecting your system. One area of this is code, specifically in protecting your database from form and url hacking. (Remember Little Bobby Tables?)

Just like everything else we've discussed about upgrading your Legacy Code, the rest of your progress is handled mostly in baby steps. With one, notable exception. You have to lock things down, and prevent these security breaches.

Some time ago, ColdFusion introduced the <cfqueryparam> tag, as a way of creating bind variables in your queries. Aside from providing sql type checking to each param, it creates some inherent security by converting these arguments in to bind variables, in the SQL request. This is a double bonus, in converting Legacy Code, as you get both the security, and performance enhancements, by using bind variables. (Use <cfprocparam> with the <cfstoredproc> tag, for making stored procedure calls.)

This can be one of the single most important things that you do, in securing your application from outside attack. Make a project today of converting every single query call, in your Legacy Code, to utilizing <cfqueryparam>. It might take you days, or even weeks, but it will be your very first line of defense. Don't just do those that are form inserts, or those that reference URL. Do all of them.

Now, there are other things that you can do to protect your app as well. Review the ColdFusion Lockdown Guide, and implement those changes relevant to your system. Run the FuseGuard Application Firewall, as an added layer of security. And, run your site through HackMyCF. The free report can give you some valuable insight on things you can do right now, and a paid subscription can give you even more information.

Don't forget: fix every query. Calling a stored proc from a <cfquery> tag? Convert it to <cfstoredproc>. Leave no stone unturned. And get in the habit of writing them this way going forward. Data breaches are bad for business, so don't become the next news article.

This article is the eighth in a series of articles on bringing life back to your legacy ColdFusion applications. Follow along in the Legacy Code category.