Its a pretty fine point, to be sure, but important to note. I have
seen many people who claim to be immune to SQLi due to the use of
stored procs wind up regretting their bravado when tested.
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"Great spirits have often encountered violent opposition from weak
minds."
--Einstein
On Jul 21, 2008, at 2:51 PM, John Mason wrote:
True...there again it depends on how you write the storedproc. I stand
corrected :)
John Mason
[EMAIL PROTECTED]
770.337.8363
www.FusionLink.com - ColdFusion and Flex hosting
Now offering VPS Plans running with VMware technology
Now offering ColdFusion 8 Enterprise hosting
FREE Subversion hosting
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean H.
Saxe
Sent: Monday, July 21, 2008 2:43 PM
To: discussion@acfug.org
Subject: Re: [ACFUG Discuss] Re: SQL injection in the recent news
again
cfstoredproc will *not* prevent SQL injection. Stored procs are not
magically immune, they too may be subject to SQL injection in the SP
code
itself. So the problem has moved from CF to the DB itself. Make
sure you
write your stored procs with protection from SQLi, as well.
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"Dissent is the purest form of patriotism."
--Thomas Jefferson
On Jul 21, 2008, at 2:37 PM, John Mason wrote:
Cfqueryparam or cfstoredproc will naturally prevent this, but you
should also be logging these attack attempts to monitor the activity.
Portcullis (portcullis.riaforge.org), a cfc filter, can do this. An
even better option is to implement a web application firewall.
John Mason
[EMAIL PROTECTED]
770.337.8363
www.FusionLink.com - ColdFusion and Flex hosting Now offering VPS
Plans running with VMware technology Now offering ColdFusion 8
Enterprise hosting FREE Subversion hosting
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas
Knudsen
Sent: Monday, July 21, 2008 1:46 PM
To: discussion@acfug.org
Subject: [ACFUG Discuss] Re: SQL injection in the recent news again
http://www.cfwhisperer.com/post.cfm/urgent-sql-injection-attack-
vulner
ability
DK
--
Douglas Knudsen
http://www.cubicleman.com
this is my signature, like it?
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists Archive @
http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-------------------------------------------------------------
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists Archive @
http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-------------------------------------------------------------
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists Archive @
http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
