Claude Raiola wrote: > We have just had an SQL injection attack. > > Given we have several hundred cold fusion pages and the sql database as > several hundred tables has anyone found a reliable solution where why > script can be placed in the application.cfm page that will prevent code > being appended to queries as a viable alternative to having to edit > every query across the 100's of pages use the appropriate <cfqueryparam > .............
You *have* to use <cfqueryparam , no choice. But it takes time to patch up legacy sites, etc so drop the function found here http://www.cfwebstore.com/index.cfm?fuseaction=page.download&downloadID=18 into your application.cfm and that will take some of the stress away. There has been much chatter on various Lists about this and Mary Joe is keeping the latest version of the function ready for her own clients and the rest of us, most appreciated. Another assist of you have the access it to remove permissions for the System tables in the database, sys_objects and the like, so the script cannot read them to do its nasty work. We surfed to our favourite surf watching site yesterday and got a warning from Chrome (dodgy site warning) The site had been infected :-( Do a Google on: chkadw.com and see how many hits there are and most of them are right there in the Title of the, obviously CMS-driven, website! -- Yours, Kym Kovan mbcomms.net.au --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "cfaussie" group. To post to this group, send email to cfaussie@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cfaussie?hl=en -~----------~----~----~----~------~----~------~--~---