Hmmm, I believe IP spoofing is still a huge problem. I know little about it, so no more comment on that but a quick google shows that it is still a huge problem.
As for polymorphic functions, that is not the issue. SQL injection is mainly passed via the URL, header or some form of post to the server. A filter can be placed to introspect every request to check the URL for known SQL injection attacks. That would then remove the need to had extra overload for each query, because the intail request would have already been checked. So if you where to have a component with 20 queries, and have hits of around 1000 the cycles to do SQL protection in the cfqueryparam would be reduce to one check and not 20 * 1000, but 1000 only. Surely that increase in speed has to be worth something? No? As for what else cfqeuryparam offers, this can be handled by the cfquery tag. After all ColdFusion has been using JDBC drivers for a long time, the cfqueryparam was introduced in the days when ColdFusion was not built ontop of Java. That means that the extra features that JDBC drivers introduce (like pooling, binding etc.) can be taken care of under the hood. And with a proper ORM, it would know what datatype you are requesting anyway. But as I stated once before, Coldfusion 9 with hibernate native support would elimante the SQL injection problem. I can't vouch for php, .Net but at least in the Java world ORM reduces that risk to nil. And its built into the ORM, so if the ORM can't work out your polymorphic function in the database then how does it do it? This thread was about SQL injection, and a more better response would be for the CFML engine to intercept every request and reject anything that looks remotely like a sql injection attack. If you where in the Java, Grails world there is no such thing as cfqueryparam. They do it under the hood, and there is no real reason that Coldfusion can adopt the same. How hard is that to understand? -- Senior Coldfusion Developer Aegeon Pty. Ltd. www.aegeon.com.au Phone: +613 9015 8628 Mobile: 0404 998 273 -----Original Message----- From: Jochem van Dieten [mailto:[EMAIL PROTECTED] Sent: Saturday, 16 August 2008 10:15 PM To: CF-Talk Subject: Re: SQL injection attack on House of Fusion Andrew Scott wrote: > Ever heard of IP spoofing? Sure you need to complain about it, but the one > thing they need to do is track the packets. IP spoofing is really only a significant problem with UDP. With TCP any decent ISP will catch spoofs in their egress filters. Even your cheap, Taiwanese black box NAT router at home will stop spoofing for TCP because it won't be able to match the NAT state. You just send your complaints to the abuse department of their ISP and they will handle it. Or not, but that is really out of your hands. > But yes start with your IP, give them as much info as they need to do their > job with. It is then in their hands to contact the authorities to have the > individual charged. You want to charge somebody because his computer is infected with a trojan? > Which leaves me to something I have stated before, why the hell Coldfusion > didn't build this under the hood to begin with I do not know. Then it > wouldn't matter if you use cfqueryparam or not, there is nothing that this > tag does that couldn't be done under the hood. There is no way CF can guess the right datatypes to bind my function arguments to when I call a polymorphic function in the database. > I mean with all the filters that Coldfusion has from ajax to flex > integration, one more filter for URL's would have been simple. I haven't mentioned this before because I do believe that filtering request URLs is the wrong approach, but I'll let you in on a little secret: you can plug your filter regular expressions right into neo-security.xml. No need to change anything in any application, you just plug it in and enable the scriptprotect feature. Jochem ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311101 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
