Just for the record, I use other techniques to protect my sites too but in this case, i was outlining what saved me in this case. Clearly there are a bazillion ways nasty people can do damage or exploit weaknesses in sites.
In this case, I was grateful that I hadn't given in to the temptation to take the shortcut. The fields that the hacker was trying to inject into are integer fields. If I hadn't had the cfqueryparam set up for all variables to the query, AND the cf-sqltype="integer" parameter as well, the injection might have got through the other defences I have set up. But the cfqueryparam stopped the text injection getting into the query, and the fact that i use error handling to trap errors, and give no feedback as to why the url failed, meant it was difficult for the hacker to figure out what he had to do to get around my defences. As it is, I got to watch over a period of 8 hours several hundred attempts to exploit my database and do damage, without having to lift a finger. I use a code writer to write most of my queries - at least the CRUD ones anyway, so it's no difficulty to ensure all the queries have cfqueryparam but at the time I wrote this site, I didnt have the code writer ready yet. I'm just glad i took the time back then to do the job properly and not cut corners. All I'm saying about this is: whenever you think it's not likely someone will try to hack your site, and anyway you're up against a deadline and cfqueryparam is a long-winded way to type out the simple parameter you want to use, THINK AGAIN!! it is DEFINITELY worth putting up all the defences you can, provided there isnt an undue price to pay in terms of performance. In fact, using cfqueryparam improves performance of queries- that site of mine is a database-driven site for a radio show, and it just lopes along during the show when load is higher. If anyone is curious about what site it is, I'll be happy to tell you and let you have a look for yourself, but I'm reluctant to post the url here since I've discussed so much about the security of the site. Just send me an email off line and i'll tell you. Cheers Mike Kear Windsor, NSW, Australia Adobe Certified Advanced ColdFusion Developer AFP Webworks http://afpwebworks.com ColdFusion 9 Enterprise, PHP, ASP, ASP.NET hosting from AUD$15/month On Mon, May 2, 2011 at 11:49 PM, Dorioo <dor...@gmail.com> wrote: > > Ok. I'll respect your opinion. > > But for anyone new to CF that may read this, I don't believe there is a > debate about using cfqueryparam. My impression is that the settled majority > best practice is to use it blindly, use it everywhere rather than not use > it, or use it sparingly, or not use it because of code aesthetic reasons. > > - Gabriel > > On Mon, May 2, 2011 at 9:04 AM, <> wrote: > >> >> >>Are you implying that cfqueryparam _shouldn't_ be used for these >> reasons?? >> >> No, I'm just saying that there are better and more efficient ways of >> fighting attacks. >> I use cfqueryparam on some occasions, but not everywhere blindly. >> >> > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:344126 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
