RE: CFQUERYPARAM Grr!

Thu, 13 Feb 2003 13:20:20 -0800 

--------- you wrote ------------
"Buffer overruns using a carefully constructed packet of exactly 376
bytes may be a different matter" Could you explain.
---------------------------------

I was making a passing humorous reference to the recent "slammer" virus that
affected so many SQL servers.


----------- you wrote ------------------
I do use <cfqueryparams> because of the bennies that is supposed to come
with it. I just have not seen any differance and I have not been able to
reproduce an injection.
-----------------------------------------

The use of <cfqueryparam> is the rememedy for injection attacks.  Injection
attacks can only occure when you pass data directly from a FORM or URL
parameter into a query, or where you are using a "dynamic" approach and
building a string based on user input ( myQuery = "select * from mytalbe
where & form.col & "='" & form.searchstring .... etc.).  If you are passing
integers you are particularly vulnerable because there's no "escaping" of
single quotes. I have a blog on this at:

http://mxc.blogspot.com/

-mk



============================================
Bryan F. Hogan
Director of Internet Development
Macromedia Certified ColdFusion MX Developer
Digital Bay Media, Inc.
1-877-72DIGITAL
============================================

-----Original Message-----
From: Mark A. Kruger - CFG [mailto:[EMAIL PROTECTED]]
Sent: Thursday, February 13, 2003 12:08 PM
To: CF-Talk
Subject: RE: CFQUERYPARAM Grr!


Bryan,

I can tell you that in some instances it can increase speed quite
significantly - especially with character data. We've had aps that we
revised to use CFQUERYPARAM and we were able to see a definite improvement
from baselines before and baslines after (using just the DB baselines). As
for SQL injection attacks, it's definitely impervious to them from a
straight, "pass this value in..." perspective. There's only one exception to
this and it has to do with "date" values.  I've noted some folks pasing in
date values as character data because the date type is tricky to work with.
Since the DB server can parse a string into a date, this "may" expose a
vulnerability on the other side (because it's not correctly pre-defined for
type). I'm trying to come up with a scenario where that would be a risk, but
nothing comes immediately to mind - so even that is probably reasonably
safe.  Buffer overruns using a carefully constructed packet of exactly 376
bytes may be a different matter <g>.

-Mk

-----Original Message-----
From: Bryan F. Hogan [mailto:[EMAIL PROTECTED]]
Sent: Thursday, February 13, 2003 10:51 AM
To: CF-Talk
Subject: RE: CFQUERYPARAM Grr!


I've tried many times to verify the injections but have never been able to
with SQL 2000. Don't know about some other DB.
And as for speed, have not seen any proof.

============================================
Bryan F. Hogan
Director of Internet Development
Macromedia Certified ColdFusion MX Developer
Digital Bay Media, Inc.
1-877-72DIGITAL
============================================

-----Original Message-----
From: "Everett [mailto:"Everett]
Sent: Thursday, February 13, 2003 11:45 AM
To: CF-Talk
Subject: RE: CFQUERYPARAM Grr!


No chance of a SQL insertion attack.

Uses bind variables which, on the whole, are faster.

Here's what Uncle Ben had to say about cfqueryparam:

http://www.macromedia.com/desdev/articles/ben_forta_faster.html



> -----Original Message-----
> From: "Luce>,Greg" <[EMAIL PROTECTED] [mailto:"Luce>,Greg"
> <[EMAIL PROTECTED]]
> Sent: Thursday, February 13, 2003 11:37 AM
> To: CF-Talk
> Subject: RE: CFQUERYPARAM Grr!
>
>
> OK, then what benefit does using cfparam have over this:
> <cfif len(Trim(Attributes.firstname)) gt
> 0>'#attributes.firstname#'<cfelse>NULL</cfif>,
>
> Greg
>
> -----Original Message-----
> From: Bryan F. Hogan [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, February 13, 2003 11:31 AM
> To: CF-Talk
> Subject: RE: CFQUERYPARAM Grr!
>
>
> P.S. FYI "Null values can be inserted into a column by
> explicitly stating
> NULL in an INSERT or UPDATE statement, or by leaving a column
> out of an
> INSERT statement, or when adding a new column to an existing
> table using the
> ALTER TABLE statement." (Ref. SQL Server Books Online)
>
> ============================================
> Bryan F. Hogan
> Director of Internet Development
> Macromedia Certified ColdFusion MX Developer
> Digital Bay Media, Inc.
> 1-877-72DIGITAL
> ============================================
>
> -----Original Message-----
> From: "Luce [mailto:"Luce]
> Sent: Thursday, February 13, 2003 11:09 AM
> To: CF-Talk
> Subject: RE: CFQUERYPARAM Grr!
>
>
> But I can't put this in the cfqueryparam:
> null="<cfif Len(Trim(Attributes.firstname)) lt 1>Yes<cfelse>No</cfif>"
> It errors:
> Attribute NULL in tag CFQUERYPARAM has an invalid value
>
> Cannot convert YesNo to boolean.
>
> I could put conditional logic around the whole cfqueryparam
> tag and just put
> null="Yes" or null="No" but that's kinda ugly.
>
> Greg
>
> -----Original Message-----
> From: "Everett>,Al" <[EMAIL PROTECTED] [mailto:"Everett>,Al"
> <[EMAIL PROTECTED]]
> Sent: Thursday, February 13, 2003 10:52 AM
> To: CF-Talk
> Subject: RE: CFQUERYPARAM
>
>
> Len(Trim(value)) EQ 0
>
> If the value doesn't exist, simply use IsDefined()
>
> > -----Original Message-----
> > From: "Luce>,Greg" <[EMAIL PROTECTED] [mailto:"Luce>,Greg"
> > <[EMAIL PROTECTED]]
> > Sent: Thursday, February 13, 2003 10:41 AM
> > To: CF-Talk
> > Subject: RE: CFQUERYPARAM
> >
> >
> > OK, one more question. If I want it to insert NULL when there
> > is NOT a value
> > passed, how can I get the YesNoFormat thing to work. It's
> > ignoring the value
> > passed now if the len(trim)) IS gt 0, I want the opposite.
> >
> > -----Original Message-----
> > From: Jochem van Dieten [mailto:[EMAIL PROTECTED]]
> > Sent: Thursday, February 13, 2003 10:14 AM
> > To: CF-Talk
> > Subject: Re: CFQUERYPARAM
> >
> >
> > ,Greg wrote:
> > > OK, I'm trying to use cfqueryparam on a varchar field
> > insert and it's
> > > inserting a "?" even though I'm entering a value in the
> > form field that's
> > > posting to this query. Anyone know what's wrong here?
> > >
> > > VALUES ('<cfqueryparam value="#Trim(Attributes.firstname)#"
> > > cfsqltype="CF_SQL_CHAR"
> > > null="#YesNoFormat(Len(Trim(Attributes.firstname)))#">',...
> >
> > No quotes around cfqueryparam. Never.
> >
> > Jochem
> >
> >
> >
>
>
>
>




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4
Subscription: 
http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Your ad could be here. Monies from ads go to support these lists and provide more 
resources for the community. http://www.fusionauthority.com/ads.cfm

                                Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Reply via email to