-Talk
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
To anyone who happened to use the regex I posted earlier I have an updated
method to be used in place, effective immediately.
// Short list of db objects to protect
DBObj.short = 'database|function|procedure|role
: Sunday, July 27, 2008 7:05 PM
To: CF-Talk
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
To anyone who happened to use the regex I posted earlier I have an updated
method to be used in place, effective immediately.
// Short list of db objects to protect
Gabriel... would you post the page in complete working order with your code
modifications? Thanks!
-Original Message-
From: Gabriel [mailto:[EMAIL PROTECTED]
Sent: Sunday, July 27, 2008 8:05 PM
To: CF-Talk
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
Scractching My Head... To Ben
Forta
Gabriel... would you post the page in complete working order with your code
modifications? Thanks!
-Original Message-
From: Gabriel [mailto:[EMAIL PROTECTED]
Sent: Sunday, July 27, 2008 8:05 PM
To: CF-Talk
Subject: RE: (ot) URL Hack Attempt Leaves Me
-Talk
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
Gabriel... would you post the page in complete working order with your code
modifications? Thanks!
-Original Message-
From: Gabriel [mailto:[EMAIL PROTECTED]
Sent: Sunday, July 27, 2008 8:05 PM
To: CF-Talk
for you situation.
-Mark
-Original Message-
From: Che Vilnonis [mailto:[EMAIL PROTECTED]
Sent: Monday, July 28, 2008 9:01 AM
To: CF-Talk
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
Thanks Mark. So, the function checkSQLInject(str) and the function
The code on my blog is a working example, but it's not
drop in ready - you would still need to check the form and cookie scope
for example... So either way you will need to do some tweaking to get it to
work for you situation.
I'm going to post an updated version of my tool later today, just want
Version 2 of the scanner I did is now available here:
http://www.cfwebstore.com/index.cfm?fuseaction=page.downloaddownloadID=18
This has *not* been heavily tested as of yet, so use at your own risk!
--- Mary Jo
~|
Adobe®
This has *not* been heavily tested as of yet, so use at your own risk!
There was a little mistake in the scanner I posted earlier that could cause it
to hang, if anyone downloaded it before, please grab the updated copy.
In just some basic iteration checking, the new version does appear to be
Version 2 of the scanner I did is now available here:
http://www.cfwebstore.com/index.cfm?fuseaction=page.downloaddownloadID=18
Am I missing something here. I thought CFQUERYPARAM solved this problem. Is
this redundant or is there some problem with CFQUERYPARAM I'm missing?
Robert B. Harrison
MaryJo produces a product that she supports on older platforms, hence
the need to bypass cfqueryparam.
Steve Cutter Blades
Adobe Certified Professional
Advanced Macromedia ColdFusion MX 7 Developer
_
http://blog.cutterscrossing.com
Robert Harrison wrote:
Version 2
Attempt Leaves Me Scractching My Head
MaryJo produces a product that she supports on older platforms, hence
the need to bypass cfqueryparam.
~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release
I have a client who reluctantly upgraded to CF5 from CF4.0 last year
(yes, that would be 2007) because an sysadmin _accidentally_ upgraded,
and they couldn't find the original 4.0 disks. While they'd like to
upgrade to CF7 or CF8, the cost of migrating the many, many apps they
have is cost
MaryJo produces a product that she supports on older platforms, hence
the need to bypass cfqueryparam.
Actually, that's not really the issue so much as customers that are running
older versions of my software that don't have all the text inputs covered with
cfqueryparams. While this is
-Original Message-
From: Mary Jo Sminkey [mailto:[EMAIL PROTECTED]
Sent: Saturday, 26 July 2008 5:40 AM
To: CF-Talk
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
What do you think about this solution for sites with 5000 files:
This looks similar to the solution I
This will fix a problem in which a long string containing too many back
references for non-word chars can cause a stack overflow. As much as I love
CF, I find the native regex implementation sadly lacking.
Thanks for the update... I'm not sure if any of my customers are using a host
that
Ben,
Seeing as how this type of sql injection attack is succeeding so
much (even my favorite fishing website has been down for days due to
it (it is a .cfm site))...
how about changing cfquery so that by default, only ONE sql
statment can be sent. Let us override that with a parameter in
how about changing cfquery so that by default...
NO NO NO NO NO NO NO NO
I've use nested SQL all the time, and I've got over 100 web sites up.
Validate and use REREPLACE and CFQUERYPARAM and you're fine.
Don't ever make a function change that kills existing code written
correctly.
I find it useful on occasion with INSERT then SELECT @IDENTITY
-Original Message-
From: Al Musella, DPM [mailto:[EMAIL PROTECTED]
Sent: Friday, July 25, 2008 12:05 PM
To: CF-Talk
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To
Ben Forta
Ben,
Seeing as how
Francis [mailto:[EMAIL PROTECTED]
Sent: Friday, July 25, 2008 12:16 PM
To: CF-Talk
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
I find it useful on occasion with INSERT then SELECT @IDENTITY
-Original Message-
From: Al Musella, DPM [mailto:[EMAIL
Al Musella, DPM wrote:
Seeing as how this type of sql injection attack is succeeding so
much (even my favorite fishing website has been down for days due to
it (it is a .cfm site))...
how about changing cfquery so that by default, only ONE sql
statment can be sent.
That is a *very*
you'd
still have to remember to switch it off.
-- Josh
- Original Message -
From: Al Musella, DPM [EMAIL PROTECTED]
To: CF-Talk cf-talk@houseoffusion.com
Sent: Friday, July 25, 2008 9:04 AM
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
Ben,
Seeing
this without going to the extreme that you suggest
- Original Message -
From: Al Musella, DPM [EMAIL PROTECTED]
To: CF-Talk cf-talk@houseoffusion.com
Sent: Friday, July 25, 2008 9:04 AM
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
Ben,
Seeing
+Infinity.
(I'd add some sort of really intelligent comment, but, well, Robert already
covered that part.)
On Fri, Jul 25, 2008 at 11:14 AM, Robert Harrison wrote:
how about changing cfquery so that by default...
NO NO NO NO NO NO NO NO
I've use nested SQL all the time, and I've
Seeing as how this type of sql injection attack is
succeeding so much (even my favorite fishing website has been
down for days due to it (it is a .cfm site))...
how about changing cfquery so that by default, only ONE sql
statment can be sent. Let us override that with a parameter
www.austin-williams.com
Great advertising can't be either/or... It must be .
-Original Message-
From: Matt Quackenbush [mailto:[EMAIL PROTECTED]
Sent: Friday, July 25, 2008 12:42 PM
To: CF-Talk
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
+Infinity
how about changing cfquery so that by default, only ONE sql
statment can be sent. Let us override that with a parameter in
cfquery or a cfprocessing driective type of thing in our
application.cfm..
Pretty good idea.
I doubt many people use multiple sql statements in one cfquery,
Also
Is there a kind of way to stop the botnet from spamming websites? Hacker has
to stop it? or right now if it is automated is there any way?
Radek
On Fri, Jul 25, 2008 at 12:56 PM, Dave Watts [EMAIL PROTECTED] wrote:
Seeing as how this type of sql injection attack is
succeeding so much
I have to hand it to Claude - he definitely has confidence :)
-Original Message-
From: Claude Schneegans [mailto:[EMAIL PROTECTED]
Sent: Friday, July 25, 2008 12:15 PM
To: CF-Talk
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
how about changing
That is more a function of the db.
Exact, and I don't see how CF could prevent from multiple execution.
It should compile the SQL code for that, and it does not.
Unless ODBC/JDBC drivers have a function to disable it.
--
___
REUSE CODE! Use custom tags;
See
I have to hand it to Claude - he definitely has confidence
Well, unless ODBC and JDBC have some function to enable/disable multi
statements,
It would certainly be much trouble to implement this in CF.
I've checked rapidly in the ODBC docs, and I don't see any reference to
multi statement.
RiaForge.org doesnt work, tryied to get the cfqueryparam scanner:
http://qpscanner.riaforge.org/
anybody knows what happenned?
Radek
On Fri, Jul 25, 2008 at 1:46 PM, Claude Schneegans
[EMAIL PROTECTED] wrote:
I have to hand it to Claude - he definitely has confidence
Well, unless ODBC
- Original Message -
From: Claude Schneegans [EMAIL PROTECTED]
To: CF-Talk cf-talk@houseoffusion.com
Sent: Friday, July 25, 2008 12:46 PM
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
I have to hand it to Claude - he definitely has confidence
Well, unless ODBC
: Radek Valachovic [EMAIL PROTECTED]
To: CF-Talk cf-talk@houseoffusion.com
Sent: Friday, July 25, 2008 1:11 PM
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
RiaForge.org doesnt work, tryied to get the cfqueryparam scanner:
http://qpscanner.riaforge.org
-International-Operation-cfSQLprotect
~Brad
- Original Message -
From: Radek Valachovic [EMAIL PROTECTED]
To: CF-Talk cf-talk@houseoffusion.com
Sent: Friday, July 25, 2008 1:11 PM
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
RiaForge.org doesnt
@houseoffusion.com
Sent: Friday, July 25, 2008 1:11 PM
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
RiaForge.org doesnt work, tryied to get the cfqueryparam scanner:
http://qpscanner.riaforge.org/
anybody knows what happenned?
Radek
RIAForge is back up ...
-Original Message-
From: Radek Valachovic [mailto:[EMAIL PROTECTED]
Sent: Friday, July 25, 2008 2:20 PM
To: CF-Talk
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
I have it installed already, but other guys in forums asking
: Friday, July 25, 2008 1:33 PM
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
RIAForge is back up ...
~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
What do you think about this solution for sites with 5000 files
It may be satisfactory for a temporary fix, to give you enough time to fix
your 5000 files. It is almost certainly unsuitable as a permanent solution.
This part is fairly vague:
Checks all FORM and URL input for SQL injection code
That's what I thought same thing, temporary fix. Thanks for checking that
out and posting scanners.
On Fri, Jul 25, 2008 at 2:42 PM, Dave Watts [EMAIL PROTECTED] wrote:
What do you think about this solution for sites with 5000 files
It may be satisfactory for a temporary fix, to give you
OK.. You are right.. drop my request..
but I would request 3 other enhancements to dreamweaver to make these
changes easier:
1. Put the sql queryparam on the main CF toolbar..
2. When you right click the file name in the Files area you can
select PUT.. I would like to add that functionality
I requested that code from them earlier, so in case I will receive it, gonna
send it to you.
RAdek
On Fri, Jul 25, 2008 at 2:42 PM, Radek Valachovic [EMAIL PROTECTED]
wrote:
That's what I thought same thing, temporary fix. Thanks for checking that
out and posting scanners.
On Fri, Jul 25,
What do you think about this solution for sites with 5000 files:
This looks similar to the solution I am providing to my customers (I have a lot
that run old releases that are not as well protected as my current one and have
little desire to either update their software *or* the code). I used
Ok gonna check that out thanks.
On Fri, Jul 25, 2008 at 3:40 PM, Mary Jo Sminkey [EMAIL PROTECTED]
wrote:
What do you think about this solution for sites with 5000 files:
This looks similar to the solution I am providing to my customers (I have a
lot that run old releases that are not as
Ok gonna check that out thanks.
I just uploaded a new version that includes the cookie scope, and commonly used
CGI vars as well.
While this has been a headache to deal with, at least it might convince more of
my customers to get around to updating their sites. ;-) It often doesn't matter
Tell me about it I told one of my customers E- commerce store to backup
often DB (if u do some edits to DB make a backup!!!) and told him to buy
hard-drive or RAID 1 or RAID 5 solution to backup the DB ansd website, he
said no no no expensive, 6 days ago he got hit cause who made this site
never
I won't mention names but a few popular websites I use have been
hit.. one was down for 3 days now.
Recently I set up an annonymous ftp server.. I needed a few people to
send me files and I thought that would be the easiest way. the url
was private - not published anywhere.. 2 days later
I set up a scheduled task to check my database every 15 minutes. It
looks for my entry in the users table, and compares my email address
and website address with what is in the database. IF it differs, I
get an email. I did the same thing for 10 different tables.
If I do find any
Interesting question:
!--- cfif isdefined('url.dimension')
cfquery name=test datasource=#DB# username=#USER# password=#PASS#
select age,size
from accessories
where age='#url.age#' and visible=1
/cfquery/cfif ---
This is commented query in the code: Do any of you think if can process
I just got hit by this on one of my older sites (inconsistent use of
cfqueryparam) yesterday. I found an immensely helpful and very timely
posting here
http://russ.michaels.me.uk/index.cfm/2008/7/24/SQL-Injection-Attacks--How-to-protect_yourself
(I
believe Snake is a list participant). I spent 7
Interesting question:
!--- cfif isdefined('url.dimension')
cfquery name=test datasource=#DB# username=#USER#
password=#PASS#
select age,size
from accessories
where age='#url.age#' and visible=1
/cfquery/cfif ---
This is commented query in the code: Do any of you think if
: Gabriel [mailto:[EMAIL PROTECTED]
Sent: Wednesday, July 23, 2008 11:16 PM
To: CF-Talk
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...
Mark,
The comment block obfuscation technique has been posted on blog articles
that I have read through the years, however
http
This is a classic reason why that sort of blocking method
is in my opinoin only useful for a temproary stop gap.
It is actually only safe and useful for numeric parameters or dates, but
for text fields
obviously, something more accurate must be used.
And CFQUERYPARAM won't help either.
--
And what about my page exec(.cfm?! :OD
Just checking my logs now and I'm getting hit by this too.
cfqp'd all the way though...
-Original Message-
From: james carberry [mailto:[EMAIL PROTECTED]
Sent: 21 July 2008 18:54
To: CF-Talk
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
Bottom line: ***always*** use cfqueryparam. Period. There are no
acceptable exceptions to the rule.
Even with something like
UPDATE myTable SET myDate = cfqueryparam value = #now()# CFSQLType
= CF_SQL_TIMESTAMP?
OR this:
UPDATE
What if the hacker puts a space between EXEC and the (?
-Original Message-
From: Radek Valachovic [mailto:[EMAIL PROTECTED]
Sent: Wednesday, July 23, 2008 7:30 PM
To: CF-Talk
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
What about if I put:
cfif cgi.SCRIPT_NAME
not ideal, but it works if you come across this problem.
Adrian
-Original Message-
From: Experienced CF Developer [mailto:[EMAIL PROTECTED]
Sent: 21 July 2008 22:32
To: CF-Talk
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...
And for those of you who take this advice
Keywords and banning IPs by themselves are not the answer
Exactly. But t helps to reduce the impact.
There is no panacea, only a set of measures.
--
___
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send
Add one to the list. One of my old sites just got brought down. We restored
the DB and fixed it. That lasted about 15 minutes.
Now, how to deal with code fixing 40 old sites that we don't get paid
maintenance for. ARRRGH!
Robert B. Harrison
Director of Interactive services
Austin Williams
-Original Message-
From: Adrian Lynch [mailto:[EMAIL PROTECTED]
Sent: Thursday, July 24, 2008 8:34 AM
To: CF-Talk
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...
Dear Dave Phillips, you have made a generalisation and I have a dissenting
opinion ;O)
I use SELECT
-
From: Claude Schneegans [mailto:[EMAIL PROTECTED]
Sent: 24 July 2008 14:54
To: CF-Talk
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
and Billy New-Developer comes along and decides that
someOtherQuery.someOtherValue could really do with coming directly from the
user
PROTECTED]
Sent: Wednesday, July 23, 2008 5:15 PM
To: CF-Talk
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
One of my websites got hit.. I always use cfqueryparam - at least for the
last few years, but some old code (this website started with version 1 of
CF) was still hanging
and Billy New-Developer comes along and decides that
someOtherQuery.someOtherValue could really do with coming directly from the
user? Will he add the cfqp if it's not already there?
This is irrelevant, because:
1. if both fields are numeric, there is no possibility
OtherQuery.someOtherValue
var listSQLInject =
cast,exec,execute,sp_executeSQL,revoke,grant,select,insert,update,delete,dr
op,--,';
Don't forget to include user in your list. The first thing hackers try
generally is to get to
your table of users and passwords.
--
___
REUSE CODE! Use
Do you fully understand what cfqueryparam does when binding text
parameters into the query?
On Thu, Jul 24, 2008 at 9:54 PM, Claude Schneegans
[EMAIL PROTECTED] wrote:
2. if both fields are text, CFQUERYPARAM won't detect anything harmful
and won't help anyway.
--
mxAjax / CFAjax docs and
Do you fully understand what cfqueryparam does when binding text
parameters into the query?
Yes, fully.
I've designed CFX_ODBCinfo, and some other tools, and I'm pretty aware
of the way ODBC or JDBC drivers work.
This is precisely why I can say when it is useful and when it is not.
--
But Billy has been told to turn:
SET myValue = #someOtherQuery.someOtherValue#
into:
SET myValue = #FORM.someOtherValue#
Then obviously, he should add CFQP to the line of code in the same time,
what's the problem?
My point is just that in some situations, CFQP is useless,
of course, is you
Try telling that to Billy, he just got fired!
-Original Message-
From: Claude Schneegans [mailto:[EMAIL PROTECTED]
Sent: 24 July 2008 15:58
To: CF-Talk
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
Do you fully understand what cfqueryparam does when binding text
On Thu, Jul 24, 2008 at 10:52 AM, Claude Schneegans
[EMAIL PROTECTED] wrote:
It may be a silly question, but why a SELECT * will brake because an
unused column
was dropped?
It shouldn't make a difference if the SELECT * is in a cfquery (though that
is bad practice, too), but if it is in a
In our case, what
happened was that we dropped a column that hadn't been in use for awhile,
and everything broke because of the SELECT * and cfqueryparam.
It may be a silly question, but why a SELECT * will brake because an
unused column
was dropped?
--
___
It shouldn't make a difference if the SELECT * is in a cfquery
I see.
A very particular situation though. It will not prevent me from using
SELECT * when
I need all fields. This is more efficient than list all of them.
On the opposite, using SELECT * just to get a record count is the worse
So you know that it *always* prevents SQL injection in a standard
query (select, update or delete). That's a good enough reason to
always use it for me.
On Thu, Jul 24, 2008 at 10:58 PM, Claude Schneegans
[EMAIL PROTECTED] wrote:
Do you fully understand what cfqueryparam does when binding text
This is not the only case. If you use pooled statements on the
datasource (which is a default for CF) you can demonstrate another
case:
Create a table.
Select * from it in a CF template.
Add a column to the table in the DB.
Run the same template again.
See the problem.
On Thu, Jul 24, 2008 at
So you know that it *always* prevents SQL injection in a standard
query (select, update or delete).
Really? Can you give an example of injection that will be prevented?
--
___
REUSE CODE! Use custom tags;
See
I'll say it again.
ANY string passed into cfqueryparam cannot be executed as SQL:
select somecolumn
from sometable
where someothercolumn = cfqueryparam cfsqltype=varchar
value=URL.TryToHackThis
It is irrelevant what gets passed in the URL.TryToHackThis; it cannot
be executed as a SQL statement.
Obviously cfsqltype=varchar should be cfsqltype=cf_sql_varchar (my typo).
On Thu, Jul 24, 2008 at 11:55 PM, James Holmes [EMAIL PROTECTED] wrote:
I'll say it again.
ANY string passed into cfqueryparam cannot be executed as SQL:
select somecolumn
from sometable
where someothercolumn =
Jeez, and value=URL.TryToHackThis should be value=#URL.TryToHackThis#
That's what I get for answering at midnight.
On Thu, Jul 24, 2008 at 11:57 PM, James Holmes [EMAIL PROTECTED] wrote:
Obviously cfsqltype=varchar should be cfsqltype=cf_sql_varchar (my typo).
On Thu, Jul 24, 2008 at 11:55
ANY string passed into cfqueryparam cannot be executed as SQL:
Is it really possible to get an SQL statement executed from a string for
a text field
without closing the string first with an apostrophe?
--
___
REUSE CODE! Use custom tags;
See
Jeez, and value=URL.TryToHackThis should be value=#URL.TryToHackThis#
so you see that CFQP is not that easy to use ;-))
--
___
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this
: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
ANY string passed into cfqueryparam cannot be executed as SQL:
Is it really possible to get an SQL statement executed from a string for
a text field
without closing the string first with an apostrophe
Closing the apostrophe is exactly how SQL injection occurs with text
field
Ok, you got it!
BUT CFQUERY will escape that apostophe anyway, so that the SQL injection
will
just be part of the string stored in the field either you use CFQP or not.
--
___
REUSE
-talk@houseoffusion.com
Sent: Thursday, July 24, 2008 11:32 AM
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
Closing the apostrophe is exactly how SQL injection occurs with text
field
Ok, you got it!
BUT CFQUERY will escape that apostophe anyway, so that the SQL injection
Not if you use MySQL. That DBMS allows for an alternative way to escape
those with a backslash.
Ok, then lets say that CFQP should alway be used with MySQl...
.. and you haven't turned off MySQL's default ways of escaping those
ticks
... IF you have not turn off MySQL's default ways of
Do you think when I am using cfqueryparams for example with numbers like
this is secured?:
SELECT * FROM product WHERE productoid=cfqueryparam
value=#url.productoid# cfsqltype=CF_SQL_INTEGER maxlength=6
Another example I am thinking worse is with text, I made it like this:
SELECT * FROM item
: Radek Valachovic [EMAIL PROTECTED]
To: CF-Talk cf-talk@houseoffusion.com
Sent: Thursday, July 24, 2008 12:12 PM
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
Do you think when I am using cfqueryparams for example with numbers like
this is secured
(402) 408-3733 ext 105
www.cfwebtools.com
www.coldfusionmuse.com
www.necfug.com
-Original Message-
From: Radek Valachovic [mailto:[EMAIL PROTECTED]
Sent: Thursday, July 24, 2008 12:12 PM
To: CF-Talk
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
Do you think when I am
That's fair enough from a security stand point, but I still use cfqueryparam
with MS SQL for performance reason.
When your database executes a SQL statement, it generates an execution plan
that best fits that statement and it caches that plan in memory for later
use (so it doesn't have to be
]
To: CF-Talk cf-talk@houseoffusion.com
Sent: Thursday, July 24, 2008 12:12 PM
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
Do you think when I am using cfqueryparams for example with numbers like
this is secured
To: CF-Talk
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...
Using CFQUERYPARAM will secure your DB calls. That doesn't mean you don't
have other problems. But it does mean that executing arbitrary code against
the DB using user inputs (form, url, cookie) is no longer possible
When your database executes a SQL statement, it generates an
execution plan
that best fits that statement and it caches that plan in memory for later
use.
Ok, this is another example where CFQP is useful, as the doc says.
But if the query is not likely to be executed often, which is the case
Ok, this is another example where CFQP is useful, as the doc says.
But if the query is not likely to be executed often, which is
the case with small sites, generating the execution plan
might represent an overhead on the contrary.
(just assuming, I have not run tests, and I don't really
On Thu, Jul 24, 2008 at 10:48 AM, Radek Valachovic [EMAIL PROTECTED]
wrote:
Yeah I was reading in the forum this one, that using SELECT * is not good,
can u explain why on short example? What is Pro and Cons what other type of
security it gonna give me? Thanks
Not using SELECT * is more of a
A very particular situation though. It will not prevent me
from using SELECT * when I need all fields. This is more
efficient than list all of them.
It may be more efficient for you as you type them out, but it will be less
efficient for your database, which has to figure out what *
If you don't really care
I don't really care measuring the difference it makes, because it must
certainly be marginal,
and it is not because I don't care the difference it can made that I cannot
make a comment about it.
--
___
REUSE CODE! Use custom tags;
It may be a silly question, but why a SELECT * will brake
because an unused column was dropped?
For the same reason that SELECT * will break if you use it in a view, run
the view, then change the underlying schema. The * gets dereferenced to
actual columns in the execution plan, which gets
it's safe to say that avoiding * is a good idea,
Now that's the kind of statement I prefer: a good idea,
better than *always* or *never* :-)
--
___
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any
Fine, it's always a good idea to never use *
;-)
--- Ben
-Original Message-
From: Claude Schneegans [mailto:[EMAIL PROTECTED]
Sent: Thursday, July 24, 2008 2:13 PM
To: CF-Talk
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
it's safe to say that avoiding
On Thu, Jul 24, 2008 at 11:20 AM, Claude Schneegans
[EMAIL PROTECTED] wrote:
A very particular situation though.
Perhaps, but the following demonstrates how this kind of issue can be even
more problematic when the table is changed in such a way that no error is
thrown by the view...
CREATE
What would you suggest for this kind of thing:
Select USERID
from users
where email = '#trim(arguments.email)#' and password =
'#trim(arguments.password)#'
Something like this?
Select USERID
from users
where email = cfqueryparam value=#trim(arguments.email)#
cfsqltype=CF_SQL_VARCHAR
This is starting to sound like a bad multiple choice question from a college
final... :)
~Brad
- Original Message -
From: Ben Forta [EMAIL PROTECTED]
To: CF-Talk cf-talk@houseoffusion.com
Sent: Thursday, July 24, 2008 1:15 PM
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My
1 - 100 of 228 matches
Mail list logo