What are the queries on that page doing? kill @@spid? :)
~Brad
- Original Message -
From: "John P" <[EMAIL PROTECTED]>
To: "CF-Talk"
Sent: Thursday, July 24, 2008 6:56 PM
Subject: (Server returned: Connection reset)
> Hi,
>
> I'm running the developer edition of CF8 with a MS2k5 SQL
>Please advise about Spry screen dimmer effect.
>Does it exists?
Do you mean a lightbox? Not to my knowledge, but you can certainly use others
with it. There is a Spry Forum here:
http://www.adobe.com/cfusion/webforums/forum/categories.cfm?forumid=72&catid=602
--- Mary Jo
~~
Please advise about Spry screen dimmer effect.
Does it exists?
Thank you.
~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;
Hi,
I've recently started creating PDFs from dynamic content. The layout is
generally done via tags and CSS with an embedded html table where
needed. The problem I find is that there is no images what-so-ever and a
250 page document is about 200k. Is this as good as it gets? I'm curious
becaus
Hi,
I'm running the developer edition of CF8 with a MS2k5 SQL server and receiving
the following error on the index page. Other pages are loading using the same
datasource with out the error. The site was working fine yesterday. The
datasource shows connectivity from the cfide/administrator. A
Varun,
I forgot to mention that I have my VB app running as a Service on my server.
Dave
-Original Message-
From: Dave Phillips [mailto:[EMAIL PROTECTED]
Sent: Thursday, July 24, 2008 3:59 PM
To: CF-Talk
Subject: RE: CFPOP and Email gateway
Varun,
I had an issue like this and couldn't
Varun,
I had an issue like this and couldn't find a 'pure' ColdFusion solution. I
ended up building a little VB app that checked the mailbox every 5 seconds
to see if had any mail and then, if it did, it would then execute my CF page
to pull the mail. Of course, I was checking every 5 seconds, a
I have a CRM tool which uses CFPOP to pull the email from the mailbox, parses
those email and connects them to an existing open tickets in the CRM tool for
that email address.
I have a scheduled task which runs every 15 minutes and does the pull,parse and
append. I need to have this task run ev
I have a simple recursion example that I used a menu-ing system few years
back. Perhaps it may help.
http://mgt.pastebin.com/f4ff2f94f
On Thu, Jul 24, 2008 at 2:39 PM, Mark Leder <[EMAIL PROTECTED]> wrote:
> I did. Couldn't figure out that logic + tree breaks when I only want to
> return nodes
This post is from 2005 - but it does a pretty good job of explaining
execution plans on mssql and why they are important. The comments are also
pretty good.
http://www.coldfusionmuse.com/index.cfm/2005/6/28/cfqueryparam
Mark A. Kruger, CFG, MCSE
(402) 408-3733 ext 105
www.cfwebtools.com
www.col
Yes Exactly, Run the current attack, I am doing it to see how am I securing
the site and it works!
HAppy Attacking :)
On Thu, Jul 24, 2008 at 3:39 PM, Dave Watts <[EMAIL PROTECTED]> wrote:
> > If I do find any vunerabilities, is there something I can run
> > against the database to see if it has
> If I do find any vunerabilities, is there something I can run
> against the database to see if it has been infected?
Well, for the current attack, you would look at your
varchar/nvarchar/text/ntext columns to see if anything's been appended to
them. This should be fairly easy to identify.
Dave
Al Musella, DPM wrote:
> I can't believe this isn't a big news story.. it has been the focus
> of my life for the last 48 hours:)
To be a big news story, it would have to be big and new. It is neither.
The impact it has had on the net is negligible. Who can mention 3 sites
that have been hit th
I noticed since I started securing the site also with tha cfif EXEC, I have
lower hits with the code, 3 days ago and more I got hit like an every hour,
these past 2 days I got 2 hits a day to the exact same page with exact same
variables in url
On Thu, Jul 24, 2008 at 3:05 PM, Radek Valachovic
Great, yes understand, basically it runs another script against database so
it assumes that it is not part of the user_id. good thanks.
On Thu, Jul 24, 2008 at 3:05 PM, Dave Watts <[EMAIL PROTECTED]> wrote:
> > How can it be processed when USER_ID in database is
> > specified for LENGHT 15 and U
Radek,
The point is, without the cfqueryparam it doesn't really get there. The
passed user_id isn't bound in the query, so the ;{everything else} get's
processed as additional SQL statements. When the value is bound, then
the ;{and everything else} would actually be passed into the field
(sinc
>I was just looking into that myself.
>
>http://qpscanner.riaforge.org/
>
>
>
I plan on running this against the code of my sites just to be sure.
If I do find any vunerabilities, is there something I can run against the
database to see if it has been infected?
Thanks.
> How can it be processed when USER_ID in database is
> specified for LENGHT 15 and USER_ID with Hacker code has
> lenght like 100?
For the purpose of preventing SQL injection, the length of the field in your
prepared statement doesn't matter. It is enough for it to be a prepared
statement, whi
Correction sql should be in the text:
SELECT location FROM item WHERE user_id = #url.user_id#
not SELECT location FROM item WHERE url.user_id = #url.user_id#
sorry
On Thu, Jul 24, 2008 at 2:55 PM, Radek Valachovic <[EMAIL PROTECTED]>
wrote:
> Okay what about this, for example column name ITEMO
Dave Phillips wrote:
> (Claude) >> It may be a silly question, but why a SELECT * will brake
> because an unused column was dropped?
>
> To clarify, it is a SELECT * query with a CFQUERYPARAM in it. Because the
> first time the query is executed, an execution plan is built and cached.
> That execu
I'm using openssl to do this task.
After download openSSL(http://www.openssl.org/related/binaries.html) our CF
application runs a bat with this command:
openssl x509 -in %path2PEMfile% -noout -enddate
Cheers
Marco Antonio
On Thu, Jul 24, 2008 at 3:44 PM, Mike Henry <[EMAIL PROTECTED]> wrote:
>
Okay what about this, for example column name ITEMOID has in DB maxlenght 15
and it is numeric.
Integer is -2,147,483,648 and 2,147,483,647 = 10 the point is 10 or 15
doesnt matter.
I will specify for ITEMOID in DB maxl = 15
Example QUERY is
SELECT location FROM item WHERE url.user_id = #url.us
What Charlie says is correct. To elaborate on the performance part..
If you use proper indexes in your database it is possible to have statements
that are called "covered selects". This means that every column in the
select clause and where clause are all part of an index, and the records can
I have a need to validate a client certificate in Coldfusion. Part of the
validation is to determine if the certificate is still valid (based on "valid
from" and "valid to" dates). Within Coldfusion, I only have access to the
following client certificate parms:
CGI.Cert_subject
CGI.Cert_Name
I did. Couldn't figure out that logic + tree breaks when I only want to
return nodes and levels that correspond with documents/db listings on the
server.
-Original Message-
From: Gerald Guido [mailto:[EMAIL PROTECTED]
Sent: Thursday, July 24, 2008 2:09 PM
To: CF-Talk
Subject: Re: Recursi
> > If you don't really care
>
> I don't really care measuring the difference it makes,
> because it must certainly be marginal, and it is not because
> I don't care the difference it can made that I cannot make a
> comment about it.
If you want to be a contrarian for the sake of being a contr
It will be secured, but it is better IMO to use the maxlength attribute.
It should match your schema. If I were doing this the maxlength on both
my cfqueryparam and column would be the maximum length of allowed email
addresses. My standard length for passwords can be no longer than 8
characters.
(Brad) >>This is starting to sound like a bad multiple choice question from
a college
final... :)
Escpecially our college, Brad. ;-)
(Claude) >> It may be a silly question, but why a SELECT * will brake
because an unused column was dropped?
To clarify, it is a SELECT * query with a CFQUERYPARA
Absolutely. Minimally, just using a cfqueryparam tag with the value
attributes is enough to let the SQL server know the difference between the
SQL statement itself and the parameters being passed into it. With that
distinction, you may get crap data in your database if it is an insert or an
u
Charlie Griefer wrote:
> Not using SELECT * is more of a "best practices" kind of thing.
>
> When you use it, you're potentially pulling more information than you need,
> which is inefficient.
It can also lead to very hard to debug errors. When "*" is used, the
list of columns can become cache
> So if I wont use maxlenght still it is gonna be secured?
Yes.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-
So if I wont use maxlenght still it is gonna be secured? thanks
On Thu, Jul 24, 2008 at 2:23 PM, Ben Forta <[EMAIL PROTECTED]> wrote:
> MAXLENGTH would typically be the maximum the underlying table allows or the
> maximum you want to accept. And MAXLENGTH is optional.
>
> --- Ben
>
>
> -Origi
MAXLENGTH would typically be the maximum the underlying table allows or the
maximum you want to accept. And MAXLENGTH is optional.
--- Ben
-Original Message-
From: Radek Valachovic [mailto:[EMAIL PROTECTED]
Sent: Thursday, July 24, 2008 2:19 PM
To: CF-Talk
Subject: Re: (ot) URL Hack Att
Your max length in this scenario should most likely be the size of the
database column in question. If you use a varchar(50) to store your E-mail
address, then you know that the only valid strings coming into this query
are going to be 50 characters or less.
- Original Message -
From:
Whatever the length of the column in your DB.
Adrian
-Original Message-
From: Radek Valachovic [mailto:[EMAIL PROTECTED]
Sent: 24 July 2008 19:19
To: CF-Talk
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
What would you suggest for this kind of thing:
Select USERID
This is starting to sound like a bad multiple choice question from a college
final... :)
~Brad
- Original Message -
From: "Ben Forta" <[EMAIL PROTECTED]>
To: "CF-Talk"
Sent: Thursday, July 24, 2008 1:15 PM
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...
> Fine, i
What would you suggest for this kind of thing:
Select USERID
from users
where email = '#trim(arguments.email)#' and password =
'#trim(arguments.password)#'
Something like this?
Select USERID
from users
where email = and password =
I put Question marks to MAXLENGHT still thinking if I should
On Thu, Jul 24, 2008 at 11:20 AM, Claude Schneegans <
[EMAIL PROTECTED]> wrote:
> A very particular situation though.
Perhaps, but the following demonstrates how this kind of issue can be even
more problematic when the table is changed in such a way that no error is
thrown by the view...
CREATE
Fine, it's always a good idea to never use *
;-)
--- Ben
-Original Message-
From: Claude Schneegans [mailto:[EMAIL PROTECTED]
Sent: Thursday, July 24, 2008 2:13 PM
To: CF-Talk
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
>>it's safe to say that avoiding "*" is
>>it's safe to say that avoiding "*" is a good idea,
Now that's the kind of statement I prefer: "a good idea",
better than *always* or *never* :-)
--
___
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send an
Did you look at this:
http://nstree.riaforge.org/
On Thu, Jul 24, 2008 at 1:36 PM, Mark Leder <[EMAIL PROTECTED]> wrote:
> Hi All,
>
>
>
> Been working on a recursion output for several days now without success.
> Using a single category table with "ID, Name, ParentID". The nesting is up
> to fo
> How exactly do you "record" this? Is it a cookie that's set
> or do you need a network traffic sniffer to pick up whatever
> header is being passed? How often do the tokens or whatever
> is passed get changed? I'm assuming each time you login
> there's something that gets set?
Yes, every tim
> It may be a silly question, but why a SELECT * will brake
> because an unused column was dropped?
For the same reason that SELECT * will break if you use it in a view, run
the view, then change the underlying schema. The "*" gets dereferenced to
actual columns in the execution plan, which gets
>>If you don't really care
I don't really care measuring the difference it makes, because it must
certainly be marginal,
and it is not because I don't care the difference it can made that I cannot
make a comment about it.
--
___
REUSE CODE! Use custom tags;
S
> A very particular situation though. It will not prevent me
> from using SELECT * when I need all fields. This is more
> efficient than list all of them.
It may be more efficient for you as you type them out, but it will be less
efficient for your database, which has to figure out what "*" repr
On Thu, Jul 24, 2008 at 10:48 AM, Radek Valachovic <[EMAIL PROTECTED]>
wrote:
> Yeah I was reading in the forum this one, that using SELECT * is not good,
> can u explain why on short example? What is Pro and Cons what other type of
> security it gonna give me? Thanks
>
Not using SELECT * is more
> Ok, this is another example where CFQP is useful, as the doc says.
> But if the query is not likely to be executed often, which is
> the case with small sites, generating the execution plan
> might represent an overhead on the contrary.
> (just assuming, I have not run tests, and I don't really
>>When your database executes a SQL statement, it generates an
execution plan
that best fits that statement and it caches that plan in memory for later
use.
Ok, this is another example where CFQP is useful, as the doc says.
But if the query is not likely to be executed often, which is the case
Second to last sentence should ready "you are safe from damage to the
db"
Mark A. Kruger, CFG, MCSE
(402) 408-3733 ext 105
www.cfwebtools.com
www.coldfusionmuse.com
www.necfug.com
-Original Message-
From: Mark Kruger [mailto:[EMAIL PROTECTED]
Sent: Thursday, July 24, 2008 12:37 PM
Yeah I was reading in the forum this one, that using SELECT * is not good,
can u explain why on short example? What is Pro and Cons what other type of
security it gonna give me? Thanks
Radek
On Thu, Jul 24, 2008 at 1:39 PM, Brad Wood <[EMAIL PROTECTED]> wrote:
> Radek, what you did is exactly co
That's fair enough from a security stand point, but I still use cfqueryparam
with MS SQL for performance reason.
When your database executes a SQL statement, it generates an execution plan
that best fits that statement and it caches that plan in memory for later
use (so it doesn't have to be ge
Using CFQUERYPARAM will secure your DB calls. That doesn't mean you don't
have other problems. But it does mean that executing arbitrary code against
the DB using user inputs (form, url, cookie) is no longer possible. When the
system sees something like " it will bind those characters to a variable
Hi All,
Been working on a recursion output for several days now without success.
Using a single category table with "ID, Name, ParentID". The nesting is up
to four layers deep. Problem is, I want to tie the results set to documents
that have been posted, with the categoryID referencing the do
Radek, what you did is exactly correct. (Well, some people might bust your
balls for the select *, but that's another performance/bug related
discussion)
Just make sure you get EVERY vulnerable query in your site. It only takes
one bad apple...
~Brad
- Original Message -
From: "Rade
Do you think when I am using cfqueryparams for example with numbers like
this is secured?:
SELECT * FROM product WHERE productoid=
Another example I am thinking worse is with text, I made it like this:
SELECT * FROM item WHERE L3=
I added maxlength to as more security, with PRODUCTOID it is alw
>>Not if you use MySQL. That DBMS allows for an alternative way to escape
those with a backslash.
Ok, then lets say that CFQP should alway be used with MySQl...
>>.. and you haven't turned off MySQL's default ways of escaping those
ticks
... IF you have not turn off MySQL's default ways of e
Not if you use MySQL. That DBMS allows for an alternative way to escape
those with a backslash.
This has been a much blogged topic recently.
http://www.codersrevolution.com/index.cfm/2008/7/13/Just-when-you-felt-safe-SQL-Injection-and-MySQL
http://www.coldfusionmuse.com/index.cfm/2008/2/22/sql-i
>>Closing the apostrophe is exactly how SQL injection occurs with text
field
Ok, you got it!
BUT CFQUERY will escape that apostophe anyway, so that the SQL injection
will
just be part of the string stored in the field either you use CFQP or not.
--
___
REUS
Use the GoDaddy site for something else and go get a free WordPress blog at
http://www.wordpress.com.
On Thu, Jul 24, 2008 at 10:25 AM, NUGROHO NOTO <[EMAIL PROTECTED]>
wrote:
> Thanks Todd, for pointing me about those cfqueryparam issue.
> well..this blog is for my son's website.. and I knew tha
Closing the apostrophe is exactly how SQL injection occurs with text field
and if you are using MySQL it is a very real possibility.
~Brad
- Original Message -
From: "Claude Schneegans" <[EMAIL PROTECTED]>
To: "CF-Talk"
Sent: Thursday, July 24, 2008 11:12 AM
Subject: Re: (ot) URL Hack
>>Jeez, and value="URL.TryToHackThis" should be value="#URL.TryToHackThis#"
so you see that CFQP is not that easy to use ;-))
--
___
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this a
>>ANY string passed into cfqueryparam cannot be executed as SQL:
Is it really possible to get an SQL statement executed from a string for
a text field
without closing the string first with an apostrophe?
--
___
REUSE CODE! Use custom tags;
See http://www.con
Jeez, and value="URL.TryToHackThis" should be value="#URL.TryToHackThis#"
That's what I get for answering at midnight.
On Thu, Jul 24, 2008 at 11:57 PM, James Holmes <[EMAIL PROTECTED]> wrote:
> Obviously cfsqltype="varchar" should be cfsqltype="cf_sql_varchar" (my typo).
>
> On Thu, Jul 24, 2008
Obviously cfsqltype="varchar" should be cfsqltype="cf_sql_varchar" (my typo).
On Thu, Jul 24, 2008 at 11:55 PM, James Holmes <[EMAIL PROTECTED]> wrote:
> I'll say it again.
>
> ANY string passed into cfqueryparam cannot be executed as SQL:
>
> select somecolumn
> from sometable
> where someotherco
I'll say it again.
ANY string passed into cfqueryparam cannot be executed as SQL:
select somecolumn
from sometable
where someothercolumn =
It is irrelevant what gets passed in the URL.TryToHackThis; it cannot
be executed as a SQL statement. It's bound to the query as a
parameter.
On Thu, Jul 2
BlogCFC is released under the Apache 2.0 license, you can pretty much do
anything you want with it, including redistributing.
http://www.apache.org/licenses/LICENSE-2.0
-Ryan
Andy Matthews wrote:
> BlogCFC is editable, yes. When you download it, you have the source code. I
> don't think you coul
>>So you know that it *always* prevents SQL injection in a standard
query (select, update or delete).
Really? Can you give an example of injection that will be prevented?
--
___
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tags
GoDaddy supports queryparam.
-Original Message-
From: Todd Rafferty [mailto:[EMAIL PROTECTED]
Sent: Thursday, July 24, 2008 10:14 AM
To: CF-Talk
Subject: Re: Open source BLOG which run on GoDaddy.
Was reading a comment here:
http://www.coldfusionjedi.com/index.cfm/2006/3/7/Ask-a-Jedi-Co
So you know that it *always* prevents SQL injection in a standard
query (select, update or delete). That's a good enough reason to
always use it for me.
On Thu, Jul 24, 2008 at 10:58 PM, Claude Schneegans
<[EMAIL PROTECTED]> wrote:
> >>Do you fully understand what cfqueryparam does when binding t
BlogCFC is editable, yes. When you download it, you have the source code. I
don't think you could redistribute your changes, but you can change it.
-Original Message-
From: NUGROHO NOTO [mailto:[EMAIL PROTECTED]
Sent: Thursday, July 24, 2008 10:05 AM
To: CF-Talk
Subject: Re: Open source
>>I'm not saying Captcha is bad, but I hate running into it on a site
myself,
Same with me.
I've always wonder if some bot really ever used some character
recognition system
so that it is necessary to distort text so badly.
Another thing that bugs me about captcha is that in case you entered
This is not the only case. If you use pooled statements on the
datasource (which is a default for CF) you can demonstrate another
case:
Create a table.
Select * from it in a CF template.
Add a column to the table in the DB.
Run the same template again.
See the problem.
On Thu, Jul 24, 2008 at 11:
Thanks Todd, for pointing me about those cfqueryparam issue.
well..this blog is for my son's website.. and I knew that he had signed for 2
years (to get the cheapest monthly rent)...so.. moving to another host is not
an option.
~~
> On my form, I have:
>
> It's important that you don't
> fill this out: class="input_large" />
Captcha drives me crazy. Sometimes on other folks sites I have to sit
there and "guess" the freaking crooked letters four or five times before
I get it right. Is that a lower case or upper case "W"
>>It shouldn't make a difference if the SELECT * is in a cfquery
I see.
A very particular situation though. It will not prevent me from using
SELECT * when
I need all fields. This is more efficient than list all of them.
On the opposite, using SELECT * just to get a record count is the worse
ca
Was reading a comment here:
http://www.coldfusionjedi.com/index.cfm/2006/3/7/Ask-a-Jedi-ColdFusion-Hosting-Plans#c43786FF6-9A64-F431-BC422D944B5CE86E
You have other issues besides createObject() if they don't support
cfqueryparam. How attached are you to having godaddy as a host?
On Thu, Jul 24
>>In our case, what
happened was that we dropped a column that hadn't been in use for awhile,
and everything broke because of the SELECT * and cfqueryparam.
It may be a silly question, but why a SELECT * will brake because an
unused column
was dropped?
--
__
Or if for some reason captchas are not preferred then could do what a few
web forums are doing which is ask the user a simple question which forces
someone to actually read the screen and answering it before the form will
submit/process.
On Thu, Jul 24, 2008 at 9:44 AM, Scott Stewart <[EMAIL PROTE
On Thu, Jul 24, 2008 at 10:52 AM, Claude Schneegans <
[EMAIL PROTECTED]> wrote:
>
> It may be a silly question, but why a SELECT * will brake because an
> unused column
> was dropped?
>
> It shouldn't make a difference if the SELECT * is in a cfquery (though that
is bad practice, too), but if it i
On my form, I have:
It's important that you don't
fill this out:
I set the CSS style for spampot display: none; If it's ever filled out, I
reject the message. Anyone using a modern day browser never see the text
field, so... volia? o_O
On Thu, Jul 24, 2008 at 10:45 AM, Todd Rafferty <[EMAIL
Try telling that to Billy, he just got fired!
-Original Message-
From: Claude Schneegans [mailto:[EMAIL PROTECTED]
Sent: 24 July 2008 15:58
To: CF-Talk
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
>>Do you fully understand what cfqueryparam does when binding text
My son want to make a BLOG about POKEMON (it's japanese character).
So...I am looking for opensource BLOG application which can run on GoDaddy
shared hosting.
Godaddy does NOT allow createobject... so.. I cannot use blogcfc.
Anybody can share their opinion ?
Thanks for any input.
~
Thanks Matthews.. for your posting.
Frankly.. I am newb...I am not sure if I can edit all those ... but I should
try I think.
But.. one question here.. NOT very sure.. do we allow to edit ray's script ?..
of course I have to ask him about this ..
I prefer... If I can find BLOG application which d
Oddly, I use a css hack and I haven't gotten much from bots. I've gotten a
few human spam messages though, but they were pretty unreadable.
On Thu, Jul 24, 2008 at 10:42 AM, Robert Harrison <
[EMAIL PROTECTED]> wrote:
> Great - first the SQL injection attack, now a web contact form spam attack.
Cfformprotect. Look for it on ria forge. Works great!
-Original Message-
From: Robert Harrison [mailto:[EMAIL PROTECTED]
Sent: Thursday, July 24, 2008 10:42 AM
To: CF-Talk
Subject: Form Spam Attack
Great - first the SQL injection attack, now a web contact form spam attack.
When you're
Add some kind of Captcha requirements
--
Scott Stewart
ColdFusion Developer
4405 Oakshyre Way
Raleigh, NC 27616
(h) 919.874.6229 (c) 703.220.2835
-Original Message-
From: Robert Harrison [mailto:[EMAIL PROTECTED]
Sent: Thursday, July 24, 2008 10:42 AM
To: CF-Talk
Subject: Form Spam Attac
>>But Billy has been told to turn:
SET myValue = #someOtherQuery.someOtherValue#
into:
SET myValue = #FORM.someOtherValue#
Then obviously, he should add CFQP to the line of code in the same time,
what's the problem?
My point is just that in some situations, CFQP is useless,
of course, is you cha
Great - first the SQL injection attack, now a web contact form spam attack.
When you're using a contact form to send email, what can you do to prevent a
bot from spamming the form?
One of my sites just got thousands of the same email over and over.
Any ideas?
Robert B. Harrison
Director of Int
+10 Brad
On Thu, Jul 24, 2008 at 7:17 AM, Brad Wood <[EMAIL PROTECTED]> wrote:
> As promised:
>
> http://www.codersrevolution.com/index.cfm/2008/7/24/Announcing-the-first-ever-International-Operation-cfSQLprotect
>
> ~Brad
>
>
~~
>>Do you fully understand what cfqueryparam does when binding text
parameters into the query?
Yes, fully.
I've designed CFX_ODBCinfo, and some other tools, and I'm pretty aware
of the way ODBC or JDBC drivers work.
This is precisely why I can say when it is useful and when it is not.
--
___
LOL...that's a nice feature.
-Original Message-
From: Todd Rafferty [mailto:[EMAIL PROTECTED]
Sent: Thursday, July 24, 2008 9:49 AM
To: CF-Talk
Subject: Re: Form Spam Attack
On my form, I have:
It's important that you don't
fill this out:
I set the CSS style for spampot display: none
GoDaddy doesn't allow createobject, but they do allow cfinvoke (which does
much the same thing). If you're comfortable with editing CF code, you could
edit the few CreateObject instances and convert them to cfinvoke. I've done
this before with GoDaddy sites.
-Original Message-
From: NUGRO
Do you fully understand what cfqueryparam does when binding text
parameters into the query?
On Thu, Jul 24, 2008 at 9:54 PM, Claude Schneegans
<[EMAIL PROTECTED]> wrote:
> 2. if both fields are text, CFQUERYPARAM won't detect anything harmful
> and won't help anyway.
--
mxAjax / CFAjax docs and
captcha is nice
On Thu, Jul 24, 2008 at 9:42 AM, Robert Harrison
<[EMAIL PROTECTED]> wrote:
> Great - first the SQL injection attack, now a web contact form spam attack.
>
> When you're using a contact form to send email, what can you do to prevent a
> bot from spamming the form?
>
> One of my sit
My name is Chris Welch, I created SkyleX Intranet. I do appologize for the
broken link but due to various personal reasons my site was down for some time
and the product was on the shelf during that time. I have since then made some
changes to the app, re-branded it and recreated a site to sell
>>var listSQLInject =
"cast,exec,execute,sp_executeSQL,revoke,grant,select,insert,update,delete,dr
op,--,'";
Don't forget to include "user" in your list. The first thing hackers try
generally is to get to
your table of users and passwords.
--
___
REUSE CODE!
>>and Billy New-Developer comes along and decides that
someOtherQuery.someOtherValue could really do with coming directly from the
user? Will he add the cfqp if it's not already there?
This is irrelevant, because:
1. if both fields are numeric, there is no possibility
OtherQuery.someOtherValue c
I'd be leery of simply looking for the word cast, or declare, or exec by
themselves. Better to include them as part of a regular expression that also
looks for semi-colons and ( like so:
REFindNoCase(';.*EXEC.*\(?.*\)?',VARIABLES.qString)
That looks for a ;, followed by any character (any number
But Billy has been told to turn:
SET myValue = #someOtherQuery.someOtherValue#
into:
SET myValue = #FORM.someOtherValue#
because Nigel in accounts wants to do his own thing.
If cfqp is in place, Billy will leave it there. He might not add it if it's
not!
Poor Billy...
-Original Message--
Adrian,
Thanks - I was wondering if I was EVER going to get a dissenting opinion!
;-)
I should clarify my previous statements by referring to "production level
code". I too use SELECT * when I'm doing test or development, and then, if
that script is ever going to make it into production, I go ba
1 - 100 of 117 matches
Mail list logo