Actually, That should have been the reverse on URL filtering:-( In other words, I should or could write a filter to do the checking of SQL injections. Sorry my bad there. But it is only one way to do it.
Anyway as I do grails work I dug this link up for you all... http://docs.codehaus.org/display/GRAILS/Security So it is possible to do under the hood, now I can't vouch for Transfer but I do know Mark would have used cfqueryparam. Now as it is written in ColdFusion in most parts, it does take care of the fact as a developer I don't need to worry about the SQL injection as I am confident that Transfer has taken care of it for me. That is a typical example, how ColdFusion can and should do it under the hood. And take particular notice how the data is escaped when committing to the database. -- Senior Coldfusion Developer Aegeon Pty. Ltd. www.aegeon.com.au Phone: +613 9015 8628 Mobile: 0404 998 273 -----Original Message----- From: denstar [mailto:[EMAIL PROTECTED] Sent: Sunday, 17 August 2008 1:14 AM To: CF-Talk Subject: Re: SQL injection attack on House of Fusion On Sat, Aug 16, 2008 at 6:15 AM, Jochem van Dieten wrote: > Andrew Scott wrote: >> Ever heard of IP spoofing? Sure you need to complain about it, but the one >> thing they need to do is track the packets. > > IP spoofing is really only a significant problem with UDP. With TCP any > decent ISP will catch spoofs in their egress filters. Even your cheap, > Taiwanese black box NAT router at home will stop spoofing for TCP > because it won't be able to match the NAT state. Unrelated, but isn't our government pretty much listening to all the chatter across the wires? Pity to think we couldn't take advantage of that infrastructure. </joke> [...] > There is no way CF can guess the right datatypes to bind my function > arguments to when I call a polymorphic function in the database. This, I'm curious about. Aren't there ways to use some type of introspection? Bah. I see your point, even if so, you end up having to understand every type of SQL, if from a different angle. No easy java SQL parser to throw in, I guess. Still, there aren't *that* many DBs out there that would need to be supported... :-)p > I haven't mentioned this before because I do believe that filtering > request URLs is the wrong approach Care to elaborate on this? Even just a couple of rules in an apache conf file has helped quite a bit to eliminate these spam hits on CF, without impacting anthing else, that I'm aware of... are you thinking something closer to the network level? Every piece you add opens holes, and I used to sorta shun rewriting because of that, but, who am I kidding? :-) And it seems like rewriting is pretty common-place, so pretty vetted. But I'd love to hear your take on the URL request filtering, Jochem! :Denny -- Few of the many wise apothegms which have been uttered have prevented a single foolish action. Thomas B. Macaulay ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311107 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
