Justin, I certainly don't feel picked on. I feel blessed to have a place where I can learn from people who do know so much. And you are right. I (we) only seem to learn under fire. I am a one man business owner in a small town with limited resources and time. 10 hour days, work weekends, what is family time except coaching baseball-soccer-basketball, and I have forgotten what sleep even is. So, what do we do? I am a little embarrassed to say I didn't know, but at least in honesty I can learn and get a complete picture. So, what is PCI-DSS (he asks sheepishly) or is that a whole nother Post???? Thanks everyone! ~David G. Moore, Jr. P.S. Speaking of Smack Down's. Mary Jo's got a great right cross :) Go get'em girl!> Subject: Re: SQL injection attack on House of Fusion> From: [EMAIL PROTECTED]> To: cf-talk@houseoffusion.com> Date: Wed, 20 Aug 2008 17:41:12 -0400> > > When you say "Update Your Code", are you saying using <cfqueryparam>? But even so, the SQL injection still will use up countless resources instead of cutting it off early. So, go back and fix 1,000's of lines of code I have developed over the last 'upteen' years or stop it before it starts? Is this something new to CF8 or just a necessary evil because of SQL Injection Attacks. > > Essentially, yes, code should be using cfqueryparam and other secure > coding methods to keep the baddies out. The resources will get used > either way, really. You can either rely on a filter up-front and use up > CPU cycles regardless of whether a user is legitimate or not, or even > whether or not a query is being run in the page or not, etc. Or, you > can implement cfqueryparam where appropriate and only use those cycles > where they're needed, and you'll get the added benefit of prepared > statements on the SQL Server in most cases and the queries will run > slightly faster as a result. Either way you go, protect yourself and > your clients.> > SQL injection attacks have been around since before I got started in web > development, and secure coding against them has been a best practice > just as long. I remember updating "old" CF code I inherited way back > when I was using ColdFusion 4, so it's certainly nothing new.> > It's unfortunate that you haven't seen this in practice until now, but > it really is something you should be doing. It's been my observation > over the years that web programmers in general (not just limited to > ColdFusion) tend to learn about security only when there is a breach of > some kind, and then have to scramble to learn under fire. Just as an > example, how many out there run e-commerce applications and have never > heard of PCI-DSS?> > I'm not picking on you specifically, David, so please don't think I'm > calling you out or anything. I'm always learning new things myself, but > we web developers need to collectively get more educated about the risks > and threats we face and alter our practice accordingly.> > > -Justin Scott> > > >
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311328 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4