Re: CFFILE move is copying
Actually, I found a way around it. I'm using the underlying Java file reader (which is what I assume cfloop type=file uses) that also includes a close() method that fixes it. I would think cfloop would do that automatically once you exit the loop (whether upon the end of the file or prematurely), but maybe there are times you wouldn't want it to. Scott -- - Scott Brady http://www.scottbrady.net/ ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329704 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: CF5 download
Maybe Halliwells should enter the 'comedy causer of the year' instead :-) -- Helping to enthusiastically iterate sticky visionary infomediaries as part of the IT team of the year, '09 and '08 This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is available for inspection at the registered office together with a list of those non members who are referred to as partners. We use the word “partner” to refer to a member of the LLP, or an employee or consultant with equivalent standing and qualifications. Regulated by the Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.co ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329705 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: CF5 download
Maybe Halliwells should enter the 'comedy causer of the year' instead :-) -- Helping to enthusiastically iterate sticky visionary infomediaries as part of the IT team of the year, '09 and '08 I don't know, today's sounds more like a porn vendor, with the sticky visionary infomediaries. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329706 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Login protection and verification
I want to protect my site login. I first want to lock users out after so many failed login attempts. Lock them out for a specified amount of time. The way I usually approach this is to use a logging table. Each time a login is attempted it gets put into a table with the username, a timestamp, their IP, and the failure reason. Before each login is tried, I pull a count of the login attempts from the table within the last X minutes. If the count is over some threshold (usually 3 or 5) then I fail the login immediately the return an error. Once X minutes passes, the query would no longer return a count over the threshold and the account can be used again. Simple way to do auto-lockout without having to rely on scheduled processes at all. Alternatively, you can have the lockout routine set a bit on the account to permanently lock it out as well if desired. -Justin ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329707 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: CFFILE move is copying
Either way, you should write up all the details and some sample code and submit it to Adobe. http://www.adobe.com/go/wish ~Brad Original Message Subject: Re: CFFILE move is copying From: Scott Brady dsbr...@gmail.com Date: Fri, January 15, 2010 5:18 am To: cf-talk cf-talk@houseoffusion.com Actually, I found a way around it. I'm using the underlying Java file reader (which is what I assume cfloop type=file uses) that also includes a close() method that fixes it. I would think cfloop would do that automatically once you exit the loop (whether upon the end of the file or prematurely), but maybe there are times you wouldn't want it to. Scott ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329708 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
More Efficient (Faster) Method
Hey everyone - I was wondering if anyone could suggest a better method of doing this. Essentially I am creating a dropdown list of Shipping Prices - based on the day they are making the purchase. (Customer defined Next Day Shipping prices - not UPS) It's Working - but I wonder if there is a more efficient way of doing the same thing... Not so many loops or cfif's... Thoughts? Ideas? Thanks! - Nick Live Example here: http://cf.bigfatdesigns.com/cart/ShipCostTest.cfm Code: !---Set The Item Price FOR DEMO--- cfset ThisItemPrice = 39.99 !--- Setup Dates For Price Structure --- cfset TodaysDate = 1/15/2010 !--- Get Shipping Fees based on Cost --- cfquery name=qryGetShipCosts datasource=#Application.DSN# username=#Application.username# password=#Application.password# SELECT SCostID, MinItemPrice, MaxItemPrice, Standard, TwoDay, NextDay, Saturday FROM ShipCostChart WHERE MinItemPrice #ThisItemPrice# AND MaxItemPrice #ThisItemPrice# /cfquery !--- Determine the FIRST possible day we can ship on Based on What Day Of The Week TODAY is *Set as first day of dropdown for Next Day Shipping* --- !--- IF Sunday, Ship Tuesday--- cfif #DayOfWeek(TodaysDate)# EQ 1 cfset NewDay = #DateAdd(d, 2, TodaysDate)# !--- IF Monday, Ship Wed--- cfelseif #DayOfWeek(TodaysDate)# EQ 2 cfset NewDay = #DateAdd(d, 2, TodaysDate)# !--- IF Tuesday, Ship Thurs--- cfelseif #DayOfWeek(TodaysDate)# EQ 3 cfset NewDay = #DateAdd(d, 2, TodaysDate)# !--- IF Wednesday, Ship Fri--- cfelseif #DayOfWeek(TodaysDate)# EQ 4 cfset NewDay = #DateAdd(d, 2, TodaysDate)# !--- IF Thursday, Ship Monday--- cfelseif #DayOfWeek(TodaysDate)# EQ 5 cfset NewDay = #DateAdd(d, 4, TodaysDate)# !--- IF Friday, Ship Tues--- cfelseif #DayOfWeek(TodaysDate)# EQ 6 cfset NewDay = #DateAdd(d, 4, TodaysDate)# !--- IF Saturday, Ship Tues--- cfelseif #DayOfWeek(TodaysDate)# EQ 7 cfset NewDay = #DateAdd(d, 3, TodaysDate)# /cfif h1START TODAY #DayOfWeekAsString(DayOfWeek(TodaysDate))# #NewDay# /h1 pemLIST will actually be a SELECT Drop Down/em/p ul cfloop from=1 to=30 index=i cfif #DayOfWeek(NewDay)# NEQ 1 li#LSDateFormat(NewDay, 'mmm-dd-')# - #DayOfWeekAsString(DayOfWeek(NewDay))# cfloop query=qryGetShipCosts !---Next Day Delivery --- cfif i EQ 1 strong#qryGetShipCosts.NextDay#/strong !---Two Day Delivery --- cfelseif i EQ 2 strong#qryGetShipCosts.TwoDay#/strong cfelse cfif #DayOfWeek(NewDay)# NEQ 7 #qryGetShipCosts.Standard# cfelse #qryGetShipCosts.Saturday# /cfif /cfif /cfloop /li /cfif cfset NewDay = #DateAdd(d, 1, NewDay)# /cfloop /ul /cfoutput ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329709 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Recent SQL Injection attacks
For coldfusion, I use Fusionreactor.. I look at the request history, and you see the templates that were recently called with the url parameters.. when an attack is in progress, you see a lot of them with big url parameters. Easy to see at a glance. Best part is then you can view the sql queries that ran and how many rows were affected!I can verify that they don't get through to the real database - just the query logging the attempt in my HACK database! I wouldn't run a cold fusion server without a tool like fusion reactor. I created my website with coldfusion 2.0, and a lot of the pages haven't been updated (except for sql injection proofing) since then.and I learned a lot since then.. fusion reactor gives me the list of slow running pages, and I try to improve at least one of them every day. I made the entire site much faster, and concentrated on the most frequently used pages. Before fusionreactor, I had no idea which pages were the slowest, and what was being looked at right now and by whom, and how the querries were doing - timewise and memory wise. For the forms, my website deals with some mentally challenged people and really important stuff.. so I try to make it easy for them. I log all attempts to login. I get an alert if someone fails more than twice. I get a screen with the username they are trying, the passwords they tried, the real password, name , location (so I know the time zone) phone number - as well as a way to unlock it ( it gets locked after 3 unsuccessful attempts). I can tell if it is a real person struggling or if it is someone trying to break in. If they are trying to break in, I add their ip address to our list of banned ip addresses. If it is a real person, and the local time is reasonable, I call them and help them get in. I am planning on adding chat capability soon. I usually turn off ftp on my server, except when I need someone to upload a large file like an mri. I had it on recently and noticed the log file was way too big (it is usually 1-2k, and now it was like 100k).. so I looked through it and saw someone was alternating between trying administrator and webmaster as the user names, and many password. Never got in. I don't have an administrator or webmaster account allowed for ftp access:) At 04:11 PM 1/13/2010, you wrote: How do you guys monitor these attacks? The webserver logs? ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329710 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: More Efficient (Faster) Method
Check out this UDF: http://www.cflib.org/udf/BusinessDaysAdd http://www.cflib.org/udf/BusinessDaysAddAlso, if I may venture to suggest: 1. You don't need sharp signs inside ColdFusion tags 2. It would be nice to use cfqueryparam to pass in those variables to your query--faster and more secure. Happy Friday! [?] On Fri, Jan 15, 2010 at 5:21 PM, Nick Sweeney n...@bigfatdesigns.comwrote: Hey everyone - I was wondering if anyone could suggest a better method of doing this. Essentially I am creating a dropdown list of Shipping Prices - based on the day they are making the purchase. (Customer defined Next Day Shipping prices - not UPS) It's Working - but I wonder if there is a more efficient way of doing the same thing... Not so many loops or cfif's... Thoughts? Ideas? Thanks! - Nick Live Example here: http://cf.bigfatdesigns.com/cart/ShipCostTest.cfm Code: !---Set The Item Price FOR DEMO--- cfset ThisItemPrice = 39.99 !--- Setup Dates For Price Structure --- cfset TodaysDate = 1/15/2010 !--- Get Shipping Fees based on Cost --- cfquery name=qryGetShipCosts datasource=#Application.DSN# username=#Application.username# password=#Application.password# SELECT SCostID, MinItemPrice, MaxItemPrice, Standard, TwoDay, NextDay, Saturday FROM ShipCostChart WHERE MinItemPrice #ThisItemPrice# AND MaxItemPrice #ThisItemPrice# /cfquery !--- Determine the FIRST possible day we can ship on Based on What Day Of The Week TODAY is *Set as first day of dropdown for Next Day Shipping* --- !--- IF Sunday, Ship Tuesday--- cfif #DayOfWeek(TodaysDate)# EQ 1 cfset NewDay = #DateAdd(d, 2, TodaysDate)# !--- IF Monday, Ship Wed--- cfelseif #DayOfWeek(TodaysDate)# EQ 2 cfset NewDay = #DateAdd(d, 2, TodaysDate)# !--- IF Tuesday, Ship Thurs--- cfelseif #DayOfWeek(TodaysDate)# EQ 3 cfset NewDay = #DateAdd(d, 2, TodaysDate)# !--- IF Wednesday, Ship Fri--- cfelseif #DayOfWeek(TodaysDate)# EQ 4 cfset NewDay = #DateAdd(d, 2, TodaysDate)# !--- IF Thursday, Ship Monday--- cfelseif #DayOfWeek(TodaysDate)# EQ 5 cfset NewDay = #DateAdd(d, 4, TodaysDate)# !--- IF Friday, Ship Tues--- cfelseif #DayOfWeek(TodaysDate)# EQ 6 cfset NewDay = #DateAdd(d, 4, TodaysDate)# !--- IF Saturday, Ship Tues--- cfelseif #DayOfWeek(TodaysDate)# EQ 7 cfset NewDay = #DateAdd(d, 3, TodaysDate)# /cfif h1START TODAY #DayOfWeekAsString(DayOfWeek(TodaysDate))# #NewDay# /h1 pemLIST will actually be a SELECT Drop Down/em/p ul cfloop from=1 to=30 index=i cfif #DayOfWeek(NewDay)# NEQ 1 li#LSDateFormat(NewDay, 'mmm-dd-')# - #DayOfWeekAsString(DayOfWeek(NewDay))# cfloop query=qryGetShipCosts !---Next Day Delivery --- cfif i EQ 1 strong#qryGetShipCosts.NextDay#/strong !---Two Day Delivery --- cfelseif i EQ 2 strong#qryGetShipCosts.TwoDay#/strong cfelse cfif #DayOfWeek(NewDay)# NEQ 7 #qryGetShipCosts.Standard# cfelse #qryGetShipCosts.Saturday# /cfif /cfif /cfloop /li /cfif cfset NewDay = #DateAdd(d, 1, NewDay)# /cfloop /ul /cfoutput ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329711 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Recent SQL Injection attacks
On the SQL injection subject, here's something I add in all my projects. I usually use this snippet of code to intercept at the top level. It helps. cffunction name=isSQLInjection access=public hint=Checks to see if there is a possible SQL Injection attempt cfscript if ( isdefined(cgi.query_string) and ( findnocase(DECLARE,cgi.query_string) or findnocase(CAST(,cgi.query_string) or findnocase(EXEC(,cgi.query_string) or findnocase(EXEC%,cgi.query_string)or len(cgi.query_string) gte 700 ) ) return true; else return false; /cfscript /cffunction -Original Message- From: Al Musella, DPM [mailto:muse...@virtualtrials.com] Sent: Friday, January 15, 2010 2:44 PM To: cf-talk Subject: RE: Recent SQL Injection attacks For coldfusion, I use Fusionreactor.. I look at the request history, and you see the templates that were recently called with the url parameters.. when an attack is in progress, you see a lot of them with big url parameters. Easy to see at a glance. Best part is then you can view the sql queries that ran and how many rows were affected!I can verify that they don't get through to the real database - just the query logging the attempt in my HACK database! ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329712 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: CFFILE move is copying
Well, I tried to, but every time I submit the form (using FireFox on Mac OS X), it says I haven't filled out forms I most certainly have filled out (e-mail address, etc.). Anyone know how to submit a bug report for their bug report form? :) On Fri, Jan 15, 2010 at 1:38 PM, b...@bradwood.com wrote: Either way, you should write up all the details and some sample code and submit it to Adobe. http://www.adobe.com/go/wish ~Brad Original Message Subject: Re: CFFILE move is copying From: Scott Brady dsbr...@gmail.com Date: Fri, January 15, 2010 5:18 am To: cf-talk cf-talk@houseoffusion.com Actually, I found a way around it. I'm using the underlying Java file reader (which is what I assume cfloop type=file uses) that also includes a close() method that fixes it. I would think cfloop would do that automatically once you exit the loop (whether upon the end of the file or prematurely), but maybe there are times you wouldn't want it to. Scott ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329713 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: More Efficient (Faster) Method
!---Next Day Delivery --- cfif i EQ 1 strong#qryGetShipCosts.NextDay#/strong What are the prices relative to: when the item is shipped by you, or when it is delivered? ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329714 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: CFFILE move is copying
Hmm, I've used that form many times and never had any problems. If you're on CF9, you can try the public bug tracker: http://cfbugs.adobe.com/cfbugreport/flexbugui/cfbugtracker/main.html If you really are having troubles submitting a bug via the go/wish form, your best bet might be to try and ping Ben Forta or Adam Lehman. ~Brad Original Message Subject: Re: CFFILE move is copying From: Scott Brady dsbr...@gmail.com Date: Fri, January 15, 2010 7:36 pm To: cf-talk cf-talk@houseoffusion.com Well, I tried to, but every time I submit the form (using FireFox on Mac OS X), it says I haven't filled out forms I most certainly have filled out (e-mail address, etc.). Anyone know how to submit a bug report for their bug report form? :) ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329715 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Recent SQL Injection attacks
What I do is similar.. IF I detect a sql injection, I also add the ip address of the user to my banned IP list. I ban them for a week.. this way if they manage to find a page that isn't protected, they can't do any damage. I use a server variable to hold the list of banned IP addresses, so I can share the list among the few websites I host. Then whenever anyone requests a page, I check if their ip is on the banned list, if so, I just log it and display an error page saying the website is down for maintenance and return soon. At 06:02 PM 1/15/2010, Chung Chow wrote: On the SQL injection subject, here's something I add in all my projects. I usually use this snippet of code to intercept at the top level. It helps. cffunction name=isSQLInjection access=public hint=Checks to see if there is a possible SQL Injection attempt cfscript if ( isdefined(cgi.query_string) and ( findnocase(DECLARE,cgi.query_string) or findnocase(CAST(,cgi.query_string) or findnocase(EXEC(,cgi.query_string) or findnocase(EXEC%,cgi.query_string)or len(cgi.query_string) gte 700 ) ) return true; else return false; /cfscript /cffunction -Original Message- From: Al Musella, DPM [mailto:muse...@virtualtrials.com] Sent: Friday, January 15, 2010 2:44 PM To: cf-talk Subject: RE: Recent SQL Injection attacks For coldfusion, I use Fusionreactor.. I look at the request history, and you see the templates that were recently called with the url parameters.. when an attack is in progress, you see a lot of them with big url parameters. Easy to see at a glance. Best part is then you can view the sql queries that ran and how many rows were affected!I can verify that they don't get through to the real database - just the query logging the attempt in my HACK database! ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329720 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Recent SQL Injection attacks
What I do is similar.. IF I detect a sql injection, I also add the ip address of the user to my banned IP list. I ban them for a week.. this way if they manage to find a page that isn't protected, they can't do any damage. I use a server variable to hold the list of banned IP addresses, so I can share the list among the few websites I host. Then whenever anyone requests a page, I check if their ip is on the banned list, if so, I just log it and display an error page saying the website is down for maintenance and return soon. At 06:02 PM 1/15/2010, Chung Chow wrote: On the SQL injection subject, here's something I add in all my projects. I usually use this snippet of code to intercept at the top level. It helps. cffunction name=isSQLInjection access=public hint=Checks to see if there is a possible SQL Injection attempt cfscript if ( isdefined(cgi.query_string) and ( findnocase(DECLARE,cgi.query_string) or findnocase(CAST(,cgi.query_string) or findnocase(EXEC(,cgi.query_string) or findnocase(EXEC%,cgi.query_string)or len(cgi.query_string) gte 700 ) ) return true; else return false; /cfscript /cffunction -Original Message- From: Al Musella, DPM [mailto:muse...@virtualtrials.com] Sent: Friday, January 15, 2010 2:44 PM To: cf-talk Subject: RE: Recent SQL Injection attacks For coldfusion, I use Fusionreactor.. I look at the request history, and you see the templates that were recently called with the url parameters.. when an attack is in progress, you see a lot of them with big url parameters. Easy to see at a glance. Best part is then you can view the sql queries that ran and how many rows were affected!I can verify that they don't get through to the real database - just the query logging the attempt in my HACK database! ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329721 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Recent SQL Injection attacks
What I do is similar.. IF I detect a sql injection, I also add the ip address of the user to my banned IP list. I ban them for a week.. this way if they manage to find a page that isn't protected, they can't do any damage. I use a server variable to hold the list of banned IP addresses, so I can share the list among the few websites I host. Then whenever anyone requests a page, I check if their ip is on the banned list, if so, I just log it and display an error page saying the website is down for maintenance and return soon. At 06:02 PM 1/15/2010, Chung Chow wrote: On the SQL injection subject, here's something I add in all my projects. I usually use this snippet of code to intercept at the top level. It helps. cffunction name=isSQLInjection access=public hint=Checks to see if there is a possible SQL Injection attempt cfscript if ( isdefined(cgi.query_string) and ( findnocase(DECLARE,cgi.query_string) or findnocase(CAST(,cgi.query_string) or findnocase(EXEC(,cgi.query_string) or findnocase(EXEC%,cgi.query_string)or len(cgi.query_string) gte 700 ) ) return true; else return false; /cfscript /cffunction -Original Message- From: Al Musella, DPM [mailto:muse...@virtualtrials.com] Sent: Friday, January 15, 2010 2:44 PM To: cf-talk Subject: RE: Recent SQL Injection attacks For coldfusion, I use Fusionreactor.. I look at the request history, and you see the templates that were recently called with the url parameters.. when an attack is in progress, you see a lot of them with big url parameters. Easy to see at a glance. Best part is then you can view the sql queries that ran and how many rows were affected!I can verify that they don't get through to the real database - just the query logging the attempt in my HACK database! ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329717 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Recent SQL Injection attacks
What I do is similar.. IF I detect a sql injection, I also add the ip address of the user to my banned IP list. I ban them for a week.. this way if they manage to find a page that isn't protected, they can't do any damage. I use a server variable to hold the list of banned IP addresses, so I can share the list among the few websites I host. Then whenever anyone requests a page, I check if their ip is on the banned list, if so, I just log it and display an error page saying the website is down for maintenance and return soon. At 06:02 PM 1/15/2010, Chung Chow wrote: On the SQL injection subject, here's something I add in all my projects. I usually use this snippet of code to intercept at the top level. It helps. cffunction name=isSQLInjection access=public hint=Checks to see if there is a possible SQL Injection attempt cfscript if ( isdefined(cgi.query_string) and ( findnocase(DECLARE,cgi.query_string) or findnocase(CAST(,cgi.query_string) or findnocase(EXEC(,cgi.query_string) or findnocase(EXEC%,cgi.query_string)or len(cgi.query_string) gte 700 ) ) return true; else return false; /cfscript /cffunction -Original Message- From: Al Musella, DPM [mailto:muse...@virtualtrials.com] Sent: Friday, January 15, 2010 2:44 PM To: cf-talk Subject: RE: Recent SQL Injection attacks For coldfusion, I use Fusionreactor.. I look at the request history, and you see the templates that were recently called with the url parameters.. when an attack is in progress, you see a lot of them with big url parameters. Easy to see at a glance. Best part is then you can view the sql queries that ran and how many rows were affected!I can verify that they don't get through to the real database - just the query logging the attempt in my HACK database! ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329722 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Recent SQL Injection attacks
What I do is similar.. IF I detect a sql injection, I also add the ip address of the user to my banned IP list. I ban them for a week.. this way if they manage to find a page that isn't protected, they can't do any damage. I use a server variable to hold the list of banned IP addresses, so I can share the list among the few websites I host. Then whenever anyone requests a page, I check if their ip is on the banned list, if so, I just log it and display an error page saying the website is down for maintenance and return soon. At 06:02 PM 1/15/2010, Chung Chow wrote: On the SQL injection subject, here's something I add in all my projects. I usually use this snippet of code to intercept at the top level. It helps. cffunction name=isSQLInjection access=public hint=Checks to see if there is a possible SQL Injection attempt cfscript if ( isdefined(cgi.query_string) and ( findnocase(DECLARE,cgi.query_string) or findnocase(CAST(,cgi.query_string) or findnocase(EXEC(,cgi.query_string) or findnocase(EXEC%,cgi.query_string)or len(cgi.query_string) gte 700 ) ) return true; else return false; /cfscript /cffunction -Original Message- From: Al Musella, DPM [mailto:muse...@virtualtrials.com] Sent: Friday, January 15, 2010 2:44 PM To: cf-talk Subject: RE: Recent SQL Injection attacks For coldfusion, I use Fusionreactor.. I look at the request history, and you see the templates that were recently called with the url parameters.. when an attack is in progress, you see a lot of them with big url parameters. Easy to see at a glance. Best part is then you can view the sql queries that ran and how many rows were affected!I can verify that they don't get through to the real database - just the query logging the attempt in my HACK database! ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329716 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Recent SQL Injection attacks
What I do is similar.. IF I detect a sql injection, I also add the ip address of the user to my banned IP list. I ban them for a week.. this way if they manage to find a page that isn't protected, they can't do any damage. I use a server variable to hold the list of banned IP addresses, so I can share the list among the few websites I host. Then whenever anyone requests a page, I check if their ip is on the banned list, if so, I just log it and display an error page saying the website is down for maintenance and return soon. At 06:02 PM 1/15/2010, Chung Chow wrote: On the SQL injection subject, here's something I add in all my projects. I usually use this snippet of code to intercept at the top level. It helps. cffunction name=isSQLInjection access=public hint=Checks to see if there is a possible SQL Injection attempt cfscript if ( isdefined(cgi.query_string) and ( findnocase(DECLARE,cgi.query_string) or findnocase(CAST(,cgi.query_string) or findnocase(EXEC(,cgi.query_string) or findnocase(EXEC%,cgi.query_string)or len(cgi.query_string) gte 700 ) ) return true; else return false; /cfscript /cffunction -Original Message- From: Al Musella, DPM [mailto:muse...@virtualtrials.com] Sent: Friday, January 15, 2010 2:44 PM To: cf-talk Subject: RE: Recent SQL Injection attacks For coldfusion, I use Fusionreactor.. I look at the request history, and you see the templates that were recently called with the url parameters.. when an attack is in progress, you see a lot of them with big url parameters. Easy to see at a glance. Best part is then you can view the sql queries that ran and how many rows were affected!I can verify that they don't get through to the real database - just the query logging the attempt in my HACK database! ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329718 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Recent SQL Injection attacks
What I do is similar.. IF I detect a sql injection, I also add the ip address of the user to my banned IP list. I ban them for a week.. this way if they manage to find a page that isn't protected, they can't do any damage. I use a server variable to hold the list of banned IP addresses, so I can share the list among the few websites I host. Then whenever anyone requests a page, I check if their ip is on the banned list, if so, I just log it and display an error page saying the website is down for maintenance and return soon. At 06:02 PM 1/15/2010, Chung Chow wrote: On the SQL injection subject, here's something I add in all my projects. I usually use this snippet of code to intercept at the top level. It helps. cffunction name=isSQLInjection access=public hint=Checks to see if there is a possible SQL Injection attempt cfscript if ( isdefined(cgi.query_string) and ( findnocase(DECLARE,cgi.query_string) or findnocase(CAST(,cgi.query_string) or findnocase(EXEC(,cgi.query_string) or findnocase(EXEC%,cgi.query_string)or len(cgi.query_string) gte 700 ) ) return true; else return false; /cfscript /cffunction -Original Message- From: Al Musella, DPM [mailto:muse...@virtualtrials.com] Sent: Friday, January 15, 2010 2:44 PM To: cf-talk Subject: RE: Recent SQL Injection attacks For coldfusion, I use Fusionreactor.. I look at the request history, and you see the templates that were recently called with the url parameters.. when an attack is in progress, you see a lot of them with big url parameters. Easy to see at a glance. Best part is then you can view the sql queries that ran and how many rows were affected!I can verify that they don't get through to the real database - just the query logging the attempt in my HACK database! ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329719 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: More Efficient (Faster) Method
You are absolutely right Qing - a little sloppy of me in the coding. Fixed now. Thanks! As for the UDF - I am not sure that works - as I need Saturday as an option... Are there any thoughts on the cfifs and loops? Is that the best way to handle this? I may have to run this as a UDF several times on a page - and I Was just wondering about performance. I am trying to learn how to make things go faster - or more streamlined... And this seems like the perfect case - but I don't know what else to do... - Nick ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329723 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: More Efficient (Faster) Method
Leigh - I believe it is when it is shipped TO you. (When the customer can expect it to show up.) It's based on the pricing/shipping matrix on FTD. (I need to duplicate their structure) http://www.ftd.com/delivery-charges/ They provide detailed charts of pricing and when Items can be expected based on what day (and time of day) you order it. I am slightly simplifying mine by eliminating the Time of Day - and assuming all orders are placed AFTER 2pm... (Because I know they will be) So NextDay Fee is determined by a few things: - What Day are you ordering on - How Expensive is the item you are buying Saturdays are a fixed rate of 35.99 Others are variable based on the price of the item. -Original Message- From: Leigh [mailto:cfsearch...@yahoo.com] Sent: Friday, January 15, 2010 7:53 PM To: cf-talk Subject: Re: More Efficient (Faster) Method !---Next Day Delivery --- cfif i EQ 1 strong#qryGetShipCosts.NextDay#/strong What are the prices relative to: when the item is shipped by you, or when it is delivered? ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329724 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
