I just saw an attack on one of the sites we host on a CF6.1 server. The site is pure CFC, and uses cfqueryparam everywhere so the attack failed :)
Basically the attack was a poor attempt at a SQL injection and it failed when the data was being passed into the function by the type checking that is inherent to CFMX and whilst I like the idea of being able to turn off type checking in CF8 for performance reasons, I think this attack was a timely reminder as to how useful type checking can be in a production environment. Yes, I know the cfqueryparam would have taken care of the problem if type checking was off but isn't security meant to be multi-layered? Are we turning off a useful security feature if we tick the Disable CFC Type Check checkbox? Discuss. Paul ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| ColdFusion MX7 by AdobeĀ® Dyncamically transform webcontent into Adobe PDF with new ColdFusion MX7. Free Trial. http://www.adobe.com/products/coldfusion?sdid=RVJV Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:281851 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
