RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta
I also use this to get the new key on inserted records, and have used cfqueryparam for years to protect against this sort of attack, and for performance reasons. Functionality shouldn't be sacrificed just to protect careless developers from themselves. John -Original Message- From: Dave Francis [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2008 12:16 PM To: CF-Talk Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta I find it useful on occasion with INSERT then SELECT @IDENTITY -Original Message- From: Al Musella, DPM [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2008 12:05 PM To: CF-Talk Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta Ben, Seeing as how this type of sql injection attack is succeeding so much (even my favorite fishing website has been down for days due to it (it is a ..cfm site))... how about changing cfquery so that by default, only ONE sql statment can be sent. Let us override that with a parameter in cfquery or a cfprocessing driective type of thing in our application.cfm.. I doubt many people use multiple sql statements in one cfquery, and those that do are probably advanced enough to know to add the parameter for allowing it.. You can call this enhancement request cf_trainingWheels How many people out there group together (intentionally) multiple sql statements in one cfquery? (Like select email from users where id=1; drop table users) Al ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309699 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: SYS-Con relies on dead technology
Google is your friend, or enemy depending on how you look at it. http://people.langeconsulting.com/matt/ -Original Message- From: Tom Chiverton [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 16, 2007 11:42 AM To: CF-Talk Subject: Re: SYS-Con relies on dead technology On Tuesday 16 Oct 2007, [EMAIL PROTECTED] wrote: http://www2.sys-con.com/globaldelete.cfm?emil= I wonder who [EMAIL PROTECTED] is. -- Tom Chiverton. Are you a great ColdFusion programmer, who knows Reactor and ColdSpring, and has done some Flex work ? Would you like to work for a top 30 law firm in Manchester, UK ? Are not an agency ? If yes, send email ! This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at St James's Court Brown Street Manchester M2 2JF. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by The Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 8008. For more information about Halliwells LLP visit www.halliwells.com. ~| Download the latest ColdFusion 8 utilities including Report Builder, plug-ins for Eclipse and Dreamweaver updates. http;//www.adobe.com/cfusion/entitlement/index.cfm?e=labs%5adobecf8%5Fbeta Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:291220 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Just a tidbit for those who might not have use iif before
and about whether Cost is truly a Boolean... -Original Message- From: Rob Wilkerson [mailto:[EMAIL PROTECTED] Sent: Thursday, March 22, 2007 3:15 PM To: CF-Talk Subject: Re: Just a tidbit for those who might not have use iif before Uh oh. You're probably about to get hammered with responses related to the performance cost... On 3/22/07, Peterson, Chris [EMAIL PROTECTED] wrote: I have never really used iif before, I was aware it existed but didn't really see a good place for it. Until today. =) Check this out: dollarformat(iif(Cost, cost, 0)) That says, evaluate cost as a Boolean, if its true (anything but 0 or null) then return cost, otherwise return 0 (so the dollarFormat does not break) This is great instead of a cfif around the whole thing. Kinda cool =) Chris ~| Macromedia ColdFusion MX7 Upgrade to MX7 experience time-saving features, more productivity. http://www.adobe.com/products/coldfusion?sdid=RVJW Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:273438 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: enctype problem - test page up - totally baffled at this point
Is it possible there is a problem with the CFIDE mapping, or some little error in the code. In the code you have script type=text/javascript src=includes/cfform.js/script script type=text/javascript src=/CFIDE/scripts/cfform.js/script script type=text/javascript src=/CFIDE/scripts/masks.js/script https://www.aaintl.com/includes/cfform.js can be downloaded by putting in the direct url, but Both https://www.aaintl.com/CFIDE/scripts/cfform.js and https://www.aaintl.com/CFIDE/scripts/masks.js give me a 404 error. Other than that, the forms work for me on Win2000/IE6, and Win2003/IE7 -Original Message- From: Les Mizzell [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 06, 2007 2:43 PM To: CF-Talk Subject: Re: enctype problem - test page up - totally baffled at this point At this point, I'm totally confused! If I define the enctype, Explorer errors out. If I do a cfdump from the two forms, I get interesting results as well. No ideas from anybody? https://www.aaintl.com/test.cfm FORM ONE - NO ENCTYPE DEFINED Firefox: FIELDNAMES NAME_COVERED,FILEPART,SUBMIT FILEPARTmyfile.txt NAME_COVEREDBob Smith SUBMIT submit .but, this will error out of there's an actual processing page with the CFFILE tag in it to process the file because of the form default enctype: Invalid content type: application/x-www-form-urlencoded. Internet Exploror: FIELDNAMES NAME_COVERED,FILEPART,SUBMIT FILEPARTE:\somefolder\myfile.txt NAME_COVEREDBob Smith SUBMIT submit FORM TWO - ENCTYPE DEFINED AS multipart/form-data Firefox: FIELDNAMES NAME_COVERED,FILEPART,SUBMIT FILEPART /usr/local/coldfusionmx7/runtime/servers/coldfusion/SERVER-INF/temp/wwwroot- tmp/neotmp72696.tmp NAME_COVEREDBob Smith SUBMIT submit Internet Exploror: Cannot find server or DNS Error ~| ColdFusion MX7 and Flex 2 Build sales marketing dashboard RIAâs for your business. Upgrade now http://www.adobe.com/products/coldfusion/flex2 Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:271767 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Form Spam
I had the same problem on a send this page to a friend page on some of the sites I work on. I used the code from this post at http://mkruger.cfwebtools.com/index.cfm?mode=entryentry=7014B27C-90BC-3F1C- AA33571605423A48 along with the trimFalseEmailHeaders UDF at cflib.org. See http://www.cflib.org/udf.cfm?id=1362 to not send the message if someone was tying to spam with it. John -Original Message- From: Steve LaBadie [mailto:[EMAIL PROTECTED] Sent: Monday, June 26, 2006 12:18 PM To: CF-Talk Subject: Form Spam Several of my forms are being filled out with spam from levitra cialis. What can I do to stop this. ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:244789 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Coldfusion with Godaddy
Not to beat a dead horse, but ask them about cfqueryparam and sql server on their shared hosting. Currently it fails with a security error. John -Original Message- From: Ken Ketsdever [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 09, 2006 12:23 PM To: CF-Talk Subject: RE: Coldfusion with Godaddy I paid for cf hosting with GoDaddy about two weeks ago and haven't bothered to set up the account or site yet. I just got a call from Jeff at GoDaddy.com stating that he sees that I have paid for hosting but haven't set it up yet and wanted to know if there was anything he could do to help. He is going to call me back in two hours and walk me through the set-up and all their options. If anyone has any questions you'd liked answered I'll ask them when he calls back and try to get answers for you. At any rate I thought it was pretty decent customer service. Ken Confidentiality Notice: This message including any attachments is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender and delete any copies of this message. ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:239976 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Coldfusion with Godaddy
Another question might be how they are currently doing client variable storage. I think it is currently set to the registry. It would be nice to have the option to set it to your db. John -Original Message- From: Ken Ketsdever [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 09, 2006 12:23 PM To: CF-Talk Subject: RE: Coldfusion with Godaddy I paid for cf hosting with GoDaddy about two weeks ago and haven't bothered to set up the account or site yet. I just got a call from Jeff at GoDaddy.com stating that he sees that I have paid for hosting but haven't set it up yet and wanted to know if there was anything he could do to help. He is going to call me back in two hours and walk me through the set-up and all their options. If anyone has any questions you'd liked answered I'll ask them when he calls back and try to get answers for you. At any rate I thought it was pretty decent customer service. Ken Confidentiality Notice: This message including any attachments is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender and delete any copies of this message. ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:239981 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Coldfusion with Godaddy
I think they probably never really got the point of my initial support request. I haven't tried cfstoredproc yet because none of my clients sites use it, but there is definitely a problem with cfqueryparam, and sql server on my account at least. but The following query cfquery name=qryTest datasource=#app_dsn# SELECT * FROM tblSites WHERE intSiteID=cfqueryparam cfsqltype=cf_sql_integer value=6 /cfquery Fails with the following error Error Executing Database Query. [Macromedia][SQLServer JDBC Driver][SQLServer]EXECUTE permission denied on object 'sp_prepexec', database 'master', owner 'dbo'. The error occurred in snip: line 34 32 :SELECT * 33 :FROM tblSites 34 :WHERE intSiteID=cfqueryparam cfsqltype=cf_sql_integer value=6 35 : /cfquery 36 : Its clearly a configuration issue on their end, but I am sure cfstoredproc will probably also fail. Like I said in an earlier message, I am going to submit another tech support request about it and reference this thread along with some of the other blogs about cfqueryparam, and Sean Cornfield's blog on their ColdFusion hosting in general. John -Original Message- From: Nathan Strutz [mailto:[EMAIL PROTECTED] Sent: Monday, May 08, 2006 1:11 PM To: CF-Talk Subject: Re: Coldfusion with Godaddy They probably meant (or should have said) that GoDaddy don't support cfstoredproc, which does run sp_prepexec for each result specified. It's pretty inefficient, but I think there is probably no other way to do multiple result sets through JDBC. This is the exact reason why I don't like and don't use cfstoredproc. It also seems like database storage client variables may do something like that... I don't exactly remember. -nathan strutz http://www.dopefly.com/ On 5/5/06, Mark A Kruger [EMAIL PROTECTED] wrote: I second that John, They are misinformed. I suspect their information came from a misconfigured DSN setting. For example, If I set up a user bob and didn't change default database for him, then I set up a JDBC connection without specifying the database I wanted to connect to - it would try to connect to master (which is the default default database for any new user), but it would fail because master doesn't allow direct manipulation of data. Instead it comes with a set of SP's (sort of a like an API) for making any changes. I would be very surprised if their information was accurate. More to the point, they are trading down when they deny cfqueryparam - not trading up. A site that doesn't user cfqueryparam is going to be less secure, slower, and will not be able to leverage the DB like it should. -mark -Original Message- From: Snake [mailto:[EMAIL PROTECTED] Sent: Friday, May 05, 2006 11:57 AM To: CF-Talk Subject: RE: Coldfusion with Godaddy That's interesting, we have no such problem on our SQL servers, CFQUERYPARAM works fine, and every user only has access to their own database. -Original Message- From: John Rossi [mailto:[EMAIL PROTECTED] Sent: 05 May 2006 17:47 To: CF-Talk Subject: RE: Coldfusion with Godaddy That's not entirely true. They do not, at least they told me they can't allow me to use cfqueryparam with sql server in shared hosting. Here's the final response I got from them. After further researching the issue(s) at hand, we have determined the following: The line EXECUTE permission denied on object 'sp_prepexec', database 'master', owner 'dbo'. shows that the database is attempting to work with the master database of the server. Due to this, the cfqueryparam feature will not work within our shared hosting environment SQL (though it should work with a locally controlled Access database). We apologize for any inconvience this may cause in regards to your site deployment. If you have absolute need of this feature, you may wish to consider our Virtual Dedicated or Dedicated server solutions. Bear in mind that these are not managed servers. Previous server administration experience is recommended should you opt to move to one of these solutions. Should you require further assistance on this or any other issue, don't hesitate to contact us any time of the day or night at (480) 505-8877. Or, if you prefer email, you can send your questions or comments to [EMAIL PROTECTED] Sincerely, Drew C. Advanced Hosting Support -Original Message- From: Brad Wood [mailto:[EMAIL PROTECTED] Sent: Friday, May 05, 2006 12:37 PM To: CF-Talk Subject: RE: Coldfusion with Godaddy They guy on the phone just told me that they support all tags out of the box except cfexecute and cfregistry He also said that they will not install custom tags for you, but I can still run it in my own directory, right? ~Brad -Original Message- From: Andy Matthews [mailto:[EMAIL PROTECTED] Sent: Friday, May 05, 2006 11:31 AM To: CF-Talk Subject: RE: Coldfusion with Godaddy I would think they would
RE: Coldfusion with Godaddy
That's not entirely true. They do not, at least they told me they can't allow me to use cfqueryparam with sql server in shared hosting. Here's the final response I got from them. After further researching the issue(s) at hand, we have determined the following: The line EXECUTE permission denied on object 'sp_prepexec', database 'master', owner 'dbo'. shows that the database is attempting to work with the master database of the server. Due to this, the cfqueryparam feature will not work within our shared hosting environment SQL (though it should work with a locally controlled Access database). We apologize for any inconvience this may cause in regards to your site deployment. If you have absolute need of this feature, you may wish to consider our Virtual Dedicated or Dedicated server solutions. Bear in mind that these are not managed servers. Previous server administration experience is recommended should you opt to move to one of these solutions. Should you require further assistance on this or any other issue, don't hesitate to contact us any time of the day or night at (480) 505-8877. Or, if you prefer email, you can send your questions or comments to [EMAIL PROTECTED] Sincerely, Drew C. Advanced Hosting Support -Original Message- From: Brad Wood [mailto:[EMAIL PROTECTED] Sent: Friday, May 05, 2006 12:37 PM To: CF-Talk Subject: RE: Coldfusion with Godaddy They guy on the phone just told me that they support all tags out of the box except cfexecute and cfregistry He also said that they will not install custom tags for you, but I can still run it in my own directory, right? ~Brad -Original Message- From: Andy Matthews [mailto:[EMAIL PROTECTED] Sent: Friday, May 05, 2006 11:31 AM To: CF-Talk Subject: RE: Coldfusion with Godaddy I would think they would. They had a help section about Coldfusion when they first released it. In fact, if you search this list on the website you should be able to find my post with all of the direct links. !//-- andy matthews web developer certified advanced coldfusion programmer ICGLink, Inc. [EMAIL PROTECTED] 615.370.1530 x737 --//- -Original Message- From: Brad Wood [mailto:[EMAIL PROTECTED] Sent: Friday, May 05, 2006 11:23 AM To: CF-Talk Subject: RE: Coldfusion with Godaddy I'm on the phone now trying to get a list of restricted tags from them.. Does any one know if they publish that? ~Brad -Original Message- From: Brad Wood Sent: Friday, May 05, 2006 11:04 AM To: CF-Talk Subject: RE: Coldfusion with Godaddy Godaddy does CF now? That is cool. I have asked them several times if they plan on hosting CF sites and they have always told me no. My personal site is pretty basic and I have been looking around for some cheap hosting to move it to. Since my domains are already registered with godaddy, I might give their hosting a whirl... ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:239648 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Coldfusion with Godaddy
That's basically what I told them. They will never be taken seriously by anyone in the ColdFusion community. I submitted that incident back at the end of March. This was for one of my clients, who hosts with them. SQL and cfqueryparam works fine on every other ColdFusion host who actually knows what they are doing. This is the error I get. I suggested maybe they might want to contact Macromedia to ask them how to set things up correctly, but I think that fell on deaf ears. I also suggested they change the article which states what tags they support since it was misleading. [Macromedia][SQLServer JDBC Driver][SQLServer]EXECUTE permission denied on object 'sp_prepexec', database 'master', owner 'dbo'. Also I was the one who posted about getting the issue resolved with cffile, but that was just a sandbox problem. John -Original Message- From: Mark A Kruger [mailto:[EMAIL PROTECTED] Sent: Friday, May 05, 2006 1:23 PM To: CF-Talk Subject: RE: Coldfusion with Godaddy I second that John, They are misinformed. I suspect their information came from a misconfigured DSN setting. For example, If I set up a user bob and didn't change default database for him, then I set up a JDBC connection without specifying the database I wanted to connect to - it would try to connect to master (which is the default default database for any new user), but it would fail because master doesn't allow direct manipulation of data. Instead it comes with a set of SP's (sort of a like an API) for making any changes. I would be very surprised if their information was accurate. More to the point, they are trading down when they deny cfqueryparam - not trading up. A site that doesn't user cfqueryparam is going to be less secure, slower, and will not be able to leverage the DB like it should. -mark -Original Message- From: Snake [mailto:[EMAIL PROTECTED] Sent: Friday, May 05, 2006 11:57 AM To: CF-Talk Subject: RE: Coldfusion with Godaddy That's interesting, we have no such problem on our SQL servers, CFQUERYPARAM works fine, and every user only has access to their own database. -Original Message- From: John Rossi [mailto:[EMAIL PROTECTED] Sent: 05 May 2006 17:47 To: CF-Talk Subject: RE: Coldfusion with Godaddy That's not entirely true. They do not, at least they told me they can't allow me to use cfqueryparam with sql server in shared hosting. Here's the final response I got from them. After further researching the issue(s) at hand, we have determined the following: The line EXECUTE permission denied on object 'sp_prepexec', database 'master', owner 'dbo'. shows that the database is attempting to work with the master database of the server. Due to this, the cfqueryparam feature will not work within our shared hosting environment SQL (though it should work with a locally controlled Access database). We apologize for any inconvience this may cause in regards to your site deployment. If you have absolute need of this feature, you may wish to consider our Virtual Dedicated or Dedicated server solutions. Bear in mind that these are not managed servers. Previous server administration experience is recommended should you opt to move to one of these solutions. Should you require further assistance on this or any other issue, don't hesitate to contact us any time of the day or night at (480) 505-8877. Or, if you prefer email, you can send your questions or comments to [EMAIL PROTECTED] Sincerely, Drew C. Advanced Hosting Support -Original Message- From: Brad Wood [mailto:[EMAIL PROTECTED] Sent: Friday, May 05, 2006 12:37 PM To: CF-Talk Subject: RE: Coldfusion with Godaddy They guy on the phone just told me that they support all tags out of the box except cfexecute and cfregistry He also said that they will not install custom tags for you, but I can still run it in my own directory, right? ~Brad -Original Message- From: Andy Matthews [mailto:[EMAIL PROTECTED] Sent: Friday, May 05, 2006 11:31 AM To: CF-Talk Subject: RE: Coldfusion with Godaddy I would think they would. They had a help section about Coldfusion when they first released it. In fact, if you search this list on the website you should be able to find my post with all of the direct links. !//-- andy matthews web developer certified advanced coldfusion programmer ICGLink, Inc. [EMAIL PROTECTED] 615.370.1530 x737 --//- -Original Message- From: Brad Wood [mailto:[EMAIL PROTECTED] Sent: Friday, May 05, 2006 11:23 AM To: CF-Talk Subject: RE: Coldfusion with Godaddy I'm on the phone now trying to get a list of restricted tags from them.. Does any one know if they publish that? ~Brad -Original Message- From: Brad Wood Sent: Friday, May 05, 2006 11:04 AM To: CF-Talk Subject: RE: Coldfusion with Godaddy Godaddy does CF now? That is cool. I have asked them several times if they plan on hosting CF sites and they have always told me no. My personal site is pretty
RE: Coldfusion with Godaddy
I am going to reopen the incident with your explanation of the issue and see what happens. I made the mistake of replying to the incident while my blood was boiling after the tech told me that if I just remove the line of code causing the error the code would work. So my explanation was probably not quite as concise as yours. Thanks, John -Original Message- From: Mark A Kruger [mailto:[EMAIL PROTECTED] Sent: Friday, May 05, 2006 1:23 PM To: CF-Talk Subject: RE: Coldfusion with Godaddy I second that John, They are misinformed. I suspect their information came from a misconfigured DSN setting. For example, If I set up a user bob and didn't change default database for him, then I set up a JDBC connection without specifying the database I wanted to connect to - it would try to connect to master (which is the default default database for any new user), but it would fail because master doesn't allow direct manipulation of data. Instead it comes with a set of SP's (sort of a like an API) for making any changes. I would be very surprised if their information was accurate. More to the point, they are trading down when they deny cfqueryparam - not trading up. A site that doesn't user cfqueryparam is going to be less secure, slower, and will not be able to leverage the DB like it should. -mark ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:239669 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Coldfusion with Godaddy
I'll do that. Good Suggestion. -Original Message- From: Mark A Kruger [mailto:[EMAIL PROTECTED] Sent: Friday, May 05, 2006 1:59 PM To: CF-Talk Subject: RE: Coldfusion with Godaddy John, You might also refer them to the following: Describes the tag and why it's needed. http://mkruger.cfwebtools.com/index.cfm?mode=aliasalias=cfqueryparam Describes an SQL Injection Attack - CFQUERYPARAM is the most straightforward solution http://mkruger.cfwebtools.com/index.cfm?mode=aliasalias=security.pyramid.co de There are lots of other blogs out there with similar points to make about this tag. I'm sure you can marshal some resources to prove your point. Good luck :) -Mark -Original Message- From: John Rossi [mailto:[EMAIL PROTECTED] Sent: Friday, May 05, 2006 12:48 PM To: CF-Talk Subject: RE: Coldfusion with Godaddy I am going to reopen the incident with your explanation of the issue and see what happens. I made the mistake of replying to the incident while my blood was boiling after the tech told me that if I just remove the line of code causing the error the code would work. So my explanation was probably not quite as concise as yours. Thanks, John -Original Message- From: Mark A Kruger [mailto:[EMAIL PROTECTED] Sent: Friday, May 05, 2006 1:23 PM To: CF-Talk Subject: RE: Coldfusion with Godaddy I second that John, They are misinformed. I suspect their information came from a misconfigured DSN setting. For example, If I set up a user bob and didn't change default database for him, then I set up a JDBC connection without specifying the database I wanted to connect to - it would try to connect to master (which is the default default database for any new user), but it would fail because master doesn't allow direct manipulation of data. Instead it comes with a set of SP's (sort of a like an API) for making any changes. I would be very surprised if their information was accurate. More to the point, they are trading down when they deny cfqueryparam - not trading up. A site that doesn't user cfqueryparam is going to be less secure, slower, and will not be able to leverage the DB like it should. -mark ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:239680 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Hiding an Email Address from harvesters
That's possibly what she is doing considering that was my IP address she just posted. I went to her domain based on her email address. Did a view source, and look at one or two of the hidden links. I am definitely not a spammer. John Rossi Webmaster/Network Administrator Bernier Associates, Inc. [EMAIL PROTECTED] -Original Message- From: Scott Brady [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 11:57 AM To: CF-Talk Subject: Re: Hiding an Email Address from harvesters Original Message: From: Les Mizzell [EMAIL PROTECTED] cfmail to=[EMAIL PROTECTED] from=Some Spammer subject=SPAM HARVESTER ALERT type=html server=MyServerInfoHere address = #cgi.remote_addr#br host = #cgi.remote_host#br referer = #cgi.http_referer#br agent = #cgi.http_user_agent#br page = #cgi.script_name#br /cfmail Here's the information from the email that came to me when the page was hit: Is that e-mail the one you're suggesting is spam? If so, they're not harvesting your address.It looks like a robot (any robot, including a search engine indexer) hit that page you put up which automatically sends an e-mail.(I'm basing that on the test code you provided) Scott --- Scott Brady http://www.scottbrady.net/ _ [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: OT: SPAM lists?
I emailed my old ISP last year to complain about their open relay, since I was getting bounced emails, and they had no idea what an open relay was even when I pointed them to relevant info. So while incompetent is a strong word it can be appropriate in certain instances. John -Original Message- From: BILLY CRAVENS [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 06, 2001 1:27 PM To: CF-Talk Subject: Re: OT: SPAM lists? No disrespect intended, but I would say that you should have been aware of the potential issues. Lazy and incompetent are strong terms. Perhaps irresponsibly negligent is better. If someone spreads viruses because their virus scanner didn't tell them they had to update it, that's negligence. If someone doesn't patch IIS and spreads CodeRed, Nimda, et al, to everyone and their dog, that's negligence. Negligence and innocence are not synonymous. You are responsible for the consequences of your configuration. --- Billy Cravens - Original Message - From: Bryan Stevenson [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Thursday, December 06, 2001 12:16 PM Subject: Re: OT: SPAM lists? Well Len thanks for calling me lazy and incompetent. Until I got blacklisted I did not know about open relays. So how does that put me in either category? The mail server I was running had no documentation about the possible abuse of or even the existence of open relays. I'm the first to admit that my face was red when I found out that the situation existed and I dropped everything else I was doing and fixed it immeadiately. I can guarantee you that had I received a warning, it would certainly would have energized me to deal with the situation. Please watch those blanket statements in the future...because I am far from lazy or incompetent...you weenie ;-) Bryan Stevenson VP Director of E-Commerce Development Electric Edge Systems Group Inc. p. 250.920.8830 e. [EMAIL PROTECTED] ~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists