Andrew Scott wrote: > I believe IP spoofing is still a huge problem. I know little about it, so no > more comment on that but a quick google shows that it is still a huge > problem.
AIDS is a huge problem too. It is also about equally relevant for the current wave of SQL injection attacks. > As for polymorphic functions, that is not the issue. SQL injection is mainly > passed via the URL, header or some form of post to the server. A filter can > be placed to introspect every request to check the URL for known SQL > injection attacks. Yes, a sufficiently advanced filter (basically an allow list of values) can do that. But you did not claim a filter could do that, you claimed ColdFusion could do anything cfqueryparam does under the hood. And that is just not true. It is impossible to extrapolate the correct datatype of input BIND variables from the text of the query string. You need code or convention for that. > I can't vouch for php, .Net but at least in the Java world ORM reduces that > risk to nil. And its built into the ORM, so if the ORM can't work out your > polymorphic function in the database then how does it do it? With an ORM in combination with an untyped language my use case of polymorphic functions would probably end up as a configuration issue in the ORM and the ORM exposing multiple functions to the application. > This thread was about SQL injection, and a more better response would be for > the CFML engine to intercept every request and reject anything that looks > remotely like a sql injection attack. But you can do that already. Just fiddle with the allowed SQL options in CF and observe the random failures in the application as CF tries to interpret SQL. Whatever the solution is, it is not teaching CF how to interpret SQL. CF is the CFML runtime and should leave the interpretation of SQL to the database. > If you where in the Java, Grails world there is no such thing as > cfqueryparam. They do it under the hood, and there is no real reason that > Coldfusion can adopt the same. Maybe the tags don't exist, but in Java the concepts do. In fact, the CFML constructs map directly to Java classes: cfquery -> java -> jdbc -> statement cfquery + cfqyeryparam -> java -> jdbc -> preparedstatement cfstoredproc -> java -> jdbc -> callablestatement And I think Dave already explained to you why you shouldn't compare Grails and ColdFusion. Now, if you wanted to compare ModelGlue Unity and Grails, you will see that neither exposes cfqueryparam like functionality to the programmer. (But please don't claim the concepts aren't there, they are just hidden behind an ORM). Jochem ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311102 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
