If your interested, I have a project that I just wrote for a client that will allow you to scan an entire directory tree for all files that have a cfquery with un-paramed variables and fix them. It doesn't work automatically (it could but I disabled that option) but instead gives you the queries on a screen with a select next to each un-paramed variable with a suggested option. It's not a polished app for commercial use but a tool for back end site optimization. So if your up for a beta, let me know.
On Sat, Sep 20, 2008 at 9:45 AM, Al Musella, DPM <[EMAIL PROTECTED]>wrote: > A new type of sql attack is hitting my server since about 2 am this > morning..... It got through the filter I use because it has > different keywords. Luckily the cfparam triggered an error - as it > was looking for intergers and was finding this: > ========================================================= > > +and+1=convert(int,(select+top+1+table_name+from+information_schema.tables))--sp_password > ======================================================== > > So I added sp_password and schema to my list of bad keywords > > Al > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:312859 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
