> I rarely use url variables, but when I do I always check to make sure it
> contains the type of data I am expecting it to contain.
There is no difference between URL, form, cookie or (certain) CGI
variables, really. They're all equally unsafe. Anything that comes
from the browser is unsafe.
D
> Anyone who uses a url variable in a sql statement - even with cfqueryparm
> - is simply asking for trouble.
There is nothing inherently unsafe in doing this. The worst that can
occur is an SQL error. The database will not execute the contents of
the variable.
Dave Watts, CTO, Fig Leaf Softwar
Sounds like you are on the right track by using FusionReactor.
Somewhat refreshing to see someone this concerned with memory usage in the
age of affordable hardware. If everyone was like this our shared CF servers
would probably be much happier.
My example, we had a template that just did a port
Even if your cfqueryparam is looking for a string (say you're using a
UUID), you're still safe because they're passed in as arguments to a
mnaufactured stored procedure. Ultimately, the db ends up doing something
like this:
declare @p1 nvarchar(4000);
select * from forums where threadid=@p1
EVE
At some point, you want to verify that you are passing an actual threadid
(to use your example) and not a sql statement that someone has appended to
the url as threadid. If you simply use the url variable you aren't doing
that. If your cfqueryparm is checking for an integer you would probably be
How exactly are we asking for trouble by using URL variables within
CFQUERYPARAMs?
For example, a message board might link to a message topic with
viewTopic.cfm?threadid=5
You can't do form posts for every call to your application, so I'm curious
as to how you propose doing this.
And then use
I'm trying this again so I can explain everything in one fell swoop...
I have an old Flash app (last compiled with CS3 probably, but originally
written with Flash MX 2004), and of course it makes flash remoting calls to
/flashservices/gateway. By default, this is not mapped in CF 10, they
change
Anyone who uses a url variable in a sql statement - even with cfqueryparm
- is simply asking for trouble.
On Thu, Mar 7, 2013 at 1:18 PM, Russ Michaels wrote:
>
> Ok found an example for you.
>
> www.codersrevolution.com/index.cfm/2008/7/22/When-will-cfqueryparam-NOT-protect-me
>
Hi Dave,
Yes, we are on 64 bit with CF9 and a pretty good amount of memory allocated
to the jvm (I'd have to check to find out exactly how much).
As our load test progresses, the memory used stat in FusionReactor got as
high as 75% for a little while. CF / Garbage collection seems pretty good
> We're doing some load testing on our application - particularly focused on
> a registration process.
> We're monitoring the test with a number of tools, including FusionReactor.
> As the test progresses, it's pretty easy to see the "Memory Used" statistic
> climbing. That's expected but we'd ob
> Do you think that changing the index on this table to clustered from
> nonclustered would provide us with performance improvements?
Well, queries that use a clustered index generally run significantly
faster than queries that use a nonclustered index. If you only put one
index on a table, it's
> > > Sadly I cannot provide any links as proof, so I wont argue with you, but I
> > > am sure I have seen someone on this list provide some advanced sql
> > > injection examples that got through cfqueryparam
> >
> > The only way for this to be possible is to do something with the data
> > in your
Hi folks,
We're doing some load testing on our application - particularly focused on
a registration process.
We're monitoring the test with a number of tools, including FusionReactor.
As the test progresses, it's pretty easy to see the "Memory Used" statistic
climbing. That's expected but we'
Ok found an example for you.
www.codersrevolution.com/index.cfm/2008/7/22/When-will-cfqueryparam-NOT-protect-me
>> Sadly I cannot provide any links as proof, so I wont argue with you, but I
>> am sure I have seen someone on this list provide some advanced sql
>> injection examples that got throu
Hi Dave,
On my dev machine it did not exist, but it worked, and it worked on the live
server. The only real change I made was I created a new directory in the admin
folder called pdf so that the new one's get generated there. I updated the
permissions on my dev machine to read/write for the cf
Hi Dave (or anyone),
Another quick follow up (about clustered vs nonclustered indexes) indexing
the CDATA table.
You mentioned creating an index on CDATA like the following (ie a clustered
index).CREATE UNIQUE CLUSTERED INDEX idxCDATA
ON cdata (cfid, app)
It turns out that in some cases we alrea
> I am having something strange going on today with my dev machine. I have an
> app that writes a PDF:
>
> nameconflict="make unique">
>
> It has been working great, but today when I ran it I was given an java.io
> error that a folder did not exist.
> Funny thing was that it was looking at the
Yeah, I went the expand path route and pointed it to a pdf directory that was
already accepting new vouchers and it works. I
On Mar 7, 2013, at 4:05 PM, Bobby wrote:
>
> I'd probably start by trying one of these instead just to see if it made a
> difference:
>
> ./pdf/voucher#user_id#.pdf
>
I'd probably start by trying one of these instead just to see if it made a
difference:
./pdf/voucher#user_id#.pdf
Or
#expandPath('./pdf/')# & 'voucher#user_id#.pdf'
On 3/7/13 3:41 PM, "Bruce Sorge" wrote:
>
>I am having something strange going on today with my dev machine. I have
>an app t
Password expirations would definitely be the way I would have gone with
this.
If I didn't have that option id probably just hash them all with a single
update statement in SQL Server rather than involving CF at all.
update userTable set passwordColumn =
right(master.dbo.fn_varbintohexstr(hashByt
I am having something strange going on today with my dev machine. I have an app
that writes a PDF:
It has been working great, but today when I ran it I was given an java.io error
that a folder did not exist. Funny thing was that it was looking at the
following path:
ColdFusion10\cfusion\run
Torrent Girl wrote:
> Did you have a problem with timeouts or out of memory errors?
>
> I have quite a bit of records
This is why I suggested that you pre-expire everyone and have them update their
credentials on next log in.
It spreads out the load and you have to have the code anywa
> First, you could simply increase the timeout for the script using the
> appropriate CF command.
>
Oops, I meant:
Also, this won't address memory prolblems, just timeouts.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
http://training.figleaf.com/
Fig Leaf Software is a Veteran-
> Did you have a problem with timeouts or out of memory errors?
>
> I have quite a bit of records
You have a couple of options.
First, you could simply increase the timeout for the script using the
appropriate CF command.
Second, you could write a paging mechanism to only do this with n
record
I did not have any time out issues. I'd do what Bobby suggests and add the
flag, that way a timeout doesn't kill what you had accomplished. I'm
presuming you are doing this in a dev environment, so you can always
increase your timeout times so that it runs.
Cheers,
Rob
On 2013-03-07 12:58 PM,
>Here you go.
>
>
>select memberid, password from users
>
>#getUserPasswords.RecordCount#
>
>
>
>
>
>user.salt,"SHA-256","us-ascii")/>
>
>UPdate users set password = '#user.password#', salt = '#user.salt#'
>where memberid = '#memberid[currentrow]#'
>
>
>
>
>
> and we changed #count#
>
>
Nope, and if you google "amfRequest" "cc is not defined" you'll actually
see a lot of others.
No errors are logged by coldfusion, and as I said, I put a right
before the and that works. *AND* the http status code is 200 -
a CF error would normally throw a 500.
I think my issue is that the AMF
I suggest adding a new bit flag column to the table and only update
records that have that flag set to 0.
The password update query could set that flag to 1 so if you accidentally
run that template twice, you don't hash and salt salted hashes.
Step 1, back up the database.
On 3/7/13 11:02 AM,
I just had this error too. It was working fine in CF9.
Apparently CFPDF no longer likes to work all in memory, so I had to change my
code to write the file to a temporary file after the CFPDFFORM and then use
that temporary file as the source for the merged, flattened document:
>Here you go.
>
>
>select memberid, password from users
>
>#getUserPasswords.RecordCount#
>
>
>
>
>
>user.salt,"SHA-256","us-ascii")/>
>
>UPdate users set password = '#user.password#', salt = '#user.salt#'
>where memberid = '#memberid[currentrow]#'
>
>
>
>
>
> and we changed #count#
>
>
30 matches
Mail list logo