Well....... This has got to be the strongest case for unit testing then...
If a component is unit tested, then the first thing is that you will know that this could happen and fix it straight away. The second is that this is why..... ColdFusion should have adopted an approach that used an ORM instead.... With an ORM it reduces the risk, provided the ORM takes these attacks seriously. I have never seen these attacks with hibernate, within GORM and Domain Driven design approaches. I so hope that ColdFusion 9, has 2 things on its release. 1) The engine itself is open sourced. And the extra functionality and support for middle tier API integration is adopted. 2) GORM style approach as in DDD (Domain Driven Design) is taken more seriously. With these 2 additions then SQL injection will be a thing of the past. -- Senior Coldfusion Developer Aegeon Pty. Ltd. www.aegeon.com.au Phone: +613 9015 8628 Mobile: 0404 998 273 -----Original Message----- From: Ben Forta [mailto:[EMAIL PROTECTED] Sent: Saturday, 9 August 2008 2:05 AM To: CF-Talk Subject: RE: SQL injection attack on House of Fusion Yep, was curious about that too. I modified Justin's script to not send e-mails, but to write a simple log entry - more an act of curiosity than anything else - I just log the date, time, and client IP address. --- Ben -----Original Message----- From: Brad Wood [mailto:[EMAIL PROTECTED] Sent: Friday, August 08, 2008 12:03 PM To: CF-Talk Subject: Re: SQL injection attack on House of Fusion Tell us how you really feel Ben. :) I had to temporarily stop apache on my site long enough to get a stop gap in place. My database is safe, but I was getting around 90 requests a second and ColdFusion and MySQL were eating up all the server's CPU trying to keep up. SSH was even unresponsive. I think I'm going to dump all these attempts in a database to analyze. I curious where the majority of the IPs are coming from. There has to be a way to squeak in the ear of ISPs loud enough to have them shut down infected users until they are cleaned. ~Brad ----- Original Message ----- From: "Ben Forta" <[EMAIL PROTECTED]> To: "CF-Talk" <cf-talk@houseoffusion.com> Sent: Friday, August 08, 2008 10:50 AM Subject: RE: SQL injection attack on House of Fusion > Yep, I turned e-mail notifications off too, leave it on and you can > inadvertently turn blocking SQL injection attacks into a self-imposed DoS > attack. Fun stuff. > > On the plus side, it's nice to see CF finally getting the recognition it > deserves, even if it is from parasitic bottom-feeding bots created by > despicable scum-sucking feeble-excuse-for-a-carbon-based-life-form > repugnant > socially-inept basement-dwelling death-penalty-deserving hacker-wannabes. > > --- Ben ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310667 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
