RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-28 Thread Mark Kruger
-Talk Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta To anyone who happened to use the regex I posted earlier I have an updated method to be used in place, effective immediately. // Short list of db objects to protect DBObj.short = 'database|function|procedure|role

RE: (ot) URL Hack Attempt Leaves Me Scractching My Head

2008-07-28 Thread Mark Kruger
: Sunday, July 27, 2008 7:05 PM To: CF-Talk Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta To anyone who happened to use the regex I posted earlier I have an updated method to be used in place, effective immediately. // Short list of db objects to protect

RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-28 Thread Che Vilnonis
Gabriel... would you post the page in complete working order with your code modifications? Thanks! -Original Message- From: Gabriel [mailto:[EMAIL PROTECTED] Sent: Sunday, July 27, 2008 8:05 PM To: CF-Talk Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-28 Thread Mark Kruger
Scractching My Head... To Ben Forta Gabriel... would you post the page in complete working order with your code modifications? Thanks! -Original Message- From: Gabriel [mailto:[EMAIL PROTECTED] Sent: Sunday, July 27, 2008 8:05 PM To: CF-Talk Subject: RE: (ot) URL Hack Attempt Leaves Me

RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-28 Thread Che Vilnonis
-Talk Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta Gabriel... would you post the page in complete working order with your code modifications? Thanks! -Original Message- From: Gabriel [mailto:[EMAIL PROTECTED] Sent: Sunday, July 27, 2008 8:05 PM To: CF-Talk

RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-28 Thread Mark Kruger
for you situation. -Mark -Original Message- From: Che Vilnonis [mailto:[EMAIL PROTECTED] Sent: Monday, July 28, 2008 9:01 AM To: CF-Talk Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta Thanks Mark. So, the function checkSQLInject(str) and the function

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-28 Thread Mary Jo Sminkey
The code on my blog is a working example, but it's not drop in ready - you would still need to check the form and cookie scope for example... So either way you will need to do some tweaking to get it to work for you situation. I'm going to post an updated version of my tool later today, just want

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-28 Thread Mary Jo Sminkey
Version 2 of the scanner I did is now available here: http://www.cfwebstore.com/index.cfm?fuseaction=page.downloaddownloadID=18 This has *not* been heavily tested as of yet, so use at your own risk! --- Mary Jo ~| Adobe®

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-28 Thread Mary Jo Sminkey
This has *not* been heavily tested as of yet, so use at your own risk! There was a little mistake in the scanner I posted earlier that could cause it to hang, if anyone downloaded it before, please grab the updated copy. In just some basic iteration checking, the new version does appear to be

RE: (ot) URL Hack Attempt Leaves Me Scractching My Head

2008-07-28 Thread Robert Harrison
Version 2 of the scanner I did is now available here: http://www.cfwebstore.com/index.cfm?fuseaction=page.downloaddownloadID=18 Am I missing something here. I thought CFQUERYPARAM solved this problem. Is this redundant or is there some problem with CFQUERYPARAM I'm missing? Robert B. Harrison

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head

2008-07-28 Thread Cutter (CFRelated)
MaryJo produces a product that she supports on older platforms, hence the need to bypass cfqueryparam. Steve Cutter Blades Adobe Certified Professional Advanced Macromedia ColdFusion MX 7 Developer _ http://blog.cutterscrossing.com Robert Harrison wrote: Version 2

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head

2008-07-28 Thread Brad Wood
Attempt Leaves Me Scractching My Head MaryJo produces a product that she supports on older platforms, hence the need to bypass cfqueryparam. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head

2008-07-28 Thread Kris Jones
I have a client who reluctantly upgraded to CF5 from CF4.0 last year (yes, that would be 2007) because an sysadmin _accidentally_ upgraded, and they couldn't find the original 4.0 disks. While they'd like to upgrade to CF7 or CF8, the cost of migrating the many, many apps they have is cost

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head

2008-07-28 Thread Mary Jo Sminkey
MaryJo produces a product that she supports on older platforms, hence the need to bypass cfqueryparam. Actually, that's not really the issue so much as customers that are running older versions of my software that don't have all the text inputs covered with cfqueryparams. While this is

RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-27 Thread Gabriel
-Original Message- From: Mary Jo Sminkey [mailto:[EMAIL PROTECTED] Sent: Saturday, 26 July 2008 5:40 AM To: CF-Talk Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta What do you think about this solution for sites with 5000 files: This looks similar to the solution I

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-27 Thread Mary Jo Sminkey
This will fix a problem in which a long string containing too many back references for non-word chars can cause a stack overflow. As much as I love CF, I find the native regex implementation sadly lacking. Thanks for the update... I'm not sure if any of my customers are using a host that

RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-25 Thread Al Musella, DPM
Ben, Seeing as how this type of sql injection attack is succeeding so much (even my favorite fishing website has been down for days due to it (it is a .cfm site))... how about changing cfquery so that by default, only ONE sql statment can be sent. Let us override that with a parameter in

RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-25 Thread Robert Harrison
how about changing cfquery so that by default... NO NO NO NO NO NO NO NO I've use nested SQL all the time, and I've got over 100 web sites up. Validate and use REREPLACE and CFQUERYPARAM and you're fine. Don't ever make a function change that kills existing code written correctly.

RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-25 Thread Dave Francis
I find it useful on occasion with INSERT then SELECT @IDENTITY -Original Message- From: Al Musella, DPM [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2008 12:05 PM To: CF-Talk Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta Ben, Seeing as how

RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-25 Thread John Rossi
Francis [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2008 12:16 PM To: CF-Talk Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta I find it useful on occasion with INSERT then SELECT @IDENTITY -Original Message- From: Al Musella, DPM [mailto:[EMAIL

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-25 Thread Jochem van Dieten
Al Musella, DPM wrote: Seeing as how this type of sql injection attack is succeeding so much (even my favorite fishing website has been down for days due to it (it is a .cfm site))... how about changing cfquery so that by default, only ONE sql statment can be sent. That is a *very*

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-25 Thread Josh Nathanson
you'd still have to remember to switch it off. -- Josh - Original Message - From: Al Musella, DPM [EMAIL PROTECTED] To: CF-Talk cf-talk@houseoffusion.com Sent: Friday, July 25, 2008 9:04 AM Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta Ben, Seeing

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-25 Thread Greg Morphis
this without going to the extreme that you suggest - Original Message - From: Al Musella, DPM [EMAIL PROTECTED] To: CF-Talk cf-talk@houseoffusion.com Sent: Friday, July 25, 2008 9:04 AM Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta Ben, Seeing

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-25 Thread Matt Quackenbush
+Infinity. (I'd add some sort of really intelligent comment, but, well, Robert already covered that part.) On Fri, Jul 25, 2008 at 11:14 AM, Robert Harrison wrote: how about changing cfquery so that by default... NO NO NO NO NO NO NO NO I've use nested SQL all the time, and I've

RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-25 Thread Dave Watts
Seeing as how this type of sql injection attack is succeeding so much (even my favorite fishing website has been down for days due to it (it is a .cfm site))... how about changing cfquery so that by default, only ONE sql statment can be sent. Let us override that with a parameter

RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-25 Thread Robert Harrison
www.austin-williams.com Great advertising can't be either/or... It must be . -Original Message- From: Matt Quackenbush [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2008 12:42 PM To: CF-Talk Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta +Infinity

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-25 Thread Claude Schneegans
how about changing cfquery so that by default, only ONE sql statment can be sent. Let us override that with a parameter in cfquery or a cfprocessing driective type of thing in our application.cfm.. Pretty good idea. I doubt many people use multiple sql statements in one cfquery, Also

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-25 Thread Radek Valachovic
Is there a kind of way to stop the botnet from spamming websites? Hacker has to stop it? or right now if it is automated is there any way? Radek On Fri, Jul 25, 2008 at 12:56 PM, Dave Watts [EMAIL PROTECTED] wrote: Seeing as how this type of sql injection attack is succeeding so much

RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-25 Thread Mark Kruger
I have to hand it to Claude - he definitely has confidence :) -Original Message- From: Claude Schneegans [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2008 12:15 PM To: CF-Talk Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta how about changing

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-25 Thread Claude Schneegans
That is more a function of the db. Exact, and I don't see how CF could prevent from multiple execution. It should compile the SQL code for that, and it does not. Unless ODBC/JDBC drivers have a function to disable it. -- ___ REUSE CODE! Use custom tags; See

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-25 Thread Claude Schneegans
I have to hand it to Claude - he definitely has confidence Well, unless ODBC and JDBC have some function to enable/disable multi statements, It would certainly be much trouble to implement this in CF. I've checked rapidly in the ODBC docs, and I don't see any reference to multi statement.

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-25 Thread Radek Valachovic
RiaForge.org doesnt work, tryied to get the cfqueryparam scanner: http://qpscanner.riaforge.org/ anybody knows what happenned? Radek On Fri, Jul 25, 2008 at 1:46 PM, Claude Schneegans [EMAIL PROTECTED] wrote: I have to hand it to Claude - he definitely has confidence Well, unless ODBC

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-25 Thread Brad Wood
- Original Message - From: Claude Schneegans [EMAIL PROTECTED] To: CF-Talk cf-talk@houseoffusion.com Sent: Friday, July 25, 2008 12:46 PM Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta I have to hand it to Claude - he definitely has confidence Well, unless ODBC

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-25 Thread Brad Wood
: Radek Valachovic [EMAIL PROTECTED] To: CF-Talk cf-talk@houseoffusion.com Sent: Friday, July 25, 2008 1:11 PM Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta RiaForge.org doesnt work, tryied to get the cfqueryparam scanner: http://qpscanner.riaforge.org

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-25 Thread Radek Valachovic
-International-Operation-cfSQLprotect ~Brad - Original Message - From: Radek Valachovic [EMAIL PROTECTED] To: CF-Talk cf-talk@houseoffusion.com Sent: Friday, July 25, 2008 1:11 PM Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta RiaForge.org doesnt

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-25 Thread Radek Valachovic
@houseoffusion.com Sent: Friday, July 25, 2008 1:11 PM Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta RiaForge.org doesnt work, tryied to get the cfqueryparam scanner: http://qpscanner.riaforge.org/ anybody knows what happenned? Radek

RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-25 Thread Ben Forta
RIAForge is back up ... -Original Message- From: Radek Valachovic [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2008 2:20 PM To: CF-Talk Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta I have it installed already, but other guys in forums asking

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-25 Thread Brad Wood
: Friday, July 25, 2008 1:33 PM Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta RIAForge is back up ... ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date

RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-25 Thread Dave Watts
What do you think about this solution for sites with 5000 files It may be satisfactory for a temporary fix, to give you enough time to fix your 5000 files. It is almost certainly unsuitable as a permanent solution. This part is fairly vague: Checks all FORM and URL input for SQL injection code

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-25 Thread Radek Valachovic
That's what I thought same thing, temporary fix. Thanks for checking that out and posting scanners. On Fri, Jul 25, 2008 at 2:42 PM, Dave Watts [EMAIL PROTECTED] wrote: What do you think about this solution for sites with 5000 files It may be satisfactory for a temporary fix, to give you

RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-25 Thread Al Musella, DPM
OK.. You are right.. drop my request.. but I would request 3 other enhancements to dreamweaver to make these changes easier: 1. Put the sql queryparam on the main CF toolbar.. 2. When you right click the file name in the Files area you can select PUT.. I would like to add that functionality

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-25 Thread Radek Valachovic
I requested that code from them earlier, so in case I will receive it, gonna send it to you. RAdek On Fri, Jul 25, 2008 at 2:42 PM, Radek Valachovic [EMAIL PROTECTED] wrote: That's what I thought same thing, temporary fix. Thanks for checking that out and posting scanners. On Fri, Jul 25,

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-25 Thread Mary Jo Sminkey
What do you think about this solution for sites with 5000 files: This looks similar to the solution I am providing to my customers (I have a lot that run old releases that are not as well protected as my current one and have little desire to either update their software *or* the code). I used

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-25 Thread Radek Valachovic
Ok gonna check that out thanks. On Fri, Jul 25, 2008 at 3:40 PM, Mary Jo Sminkey [EMAIL PROTECTED] wrote: What do you think about this solution for sites with 5000 files: This looks similar to the solution I am providing to my customers (I have a lot that run old releases that are not as

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-25 Thread Mary Jo Sminkey
Ok gonna check that out thanks. I just uploaded a new version that includes the cookie scope, and commonly used CGI vars as well. While this has been a headache to deal with, at least it might convince more of my customers to get around to updating their sites. ;-) It often doesn't matter

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-25 Thread Radek Valachovic
Tell me about it I told one of my customers E- commerce store to backup often DB (if u do some edits to DB make a backup!!!) and told him to buy hard-drive or RAID 1 or RAID 5 solution to backup the DB ansd website, he said no no no expensive, 6 days ago he got hit cause who made this site never

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...

2008-07-25 Thread Al Musella, DPM
I won't mention names but a few popular websites I use have been hit.. one was down for 3 days now. Recently I set up an annonymous ftp server.. I needed a few people to send me files and I thought that would be the easiest way. the url was private - not published anywhere.. 2 days later

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...

2008-07-25 Thread Al Musella, DPM
I set up a scheduled task to check my database every 15 minutes. It looks for my entry in the users table, and compares my email address and website address with what is in the database. IF it differs, I get an email. I did the same thing for 10 different tables. If I do find any

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...

2008-07-25 Thread Radek Valachovic
Interesting question: !--- cfif isdefined('url.dimension') cfquery name=test datasource=#DB# username=#USER# password=#PASS# select age,size from accessories where age='#url.age#' and visible=1 /cfquery/cfif --- This is commented query in the code: Do any of you think if can process

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...

2008-07-25 Thread Pete Ruckelshaus
I just got hit by this on one of my older sites (inconsistent use of cfqueryparam) yesterday. I found an immensely helpful and very timely posting here http://russ.michaels.me.uk/index.cfm/2008/7/24/SQL-Injection-Attacks--How-to-protect_yourself (I believe Snake is a list participant). I spent 7

RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...

2008-07-25 Thread Dave Watts
Interesting question: !--- cfif isdefined('url.dimension') cfquery name=test datasource=#DB# username=#USER# password=#PASS# select age,size from accessories where age='#url.age#' and visible=1 /cfquery/cfif --- This is commented query in the code: Do any of you think if

RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...

2008-07-24 Thread Mark Kruger
: Gabriel [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 23, 2008 11:16 PM To: CF-Talk Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... Mark, The comment block obfuscation technique has been posted on blog articles that I have read through the years, however http

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...

2008-07-24 Thread Claude Schneegans
This is a classic reason why that sort of blocking method is in my opinoin only useful for a temproary stop gap. It is actually only safe and useful for numeric parameters or dates, but for text fields obviously, something more accurate must be used. And CFQUERYPARAM won't help either. --

RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...

2008-07-24 Thread Adrian Lynch
And what about my page exec(.cfm?! :OD Just checking my logs now and I'm getting hit by this too. cfqp'd all the way though... -Original Message- From: james carberry [mailto:[EMAIL PROTECTED] Sent: 21 July 2008 18:54 To: CF-Talk Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching

RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...

2008-07-24 Thread Adrian Lynch
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... Bottom line: ***always*** use cfqueryparam. Period. There are no acceptable exceptions to the rule. Even with something like UPDATE myTable SET myDate = cfqueryparam value = #now()# CFSQLType = CF_SQL_TIMESTAMP? OR this: UPDATE

RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...

2008-07-24 Thread Andy Matthews
What if the hacker puts a space between EXEC and the (? -Original Message- From: Radek Valachovic [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 23, 2008 7:30 PM To: CF-Talk Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... What about if I put: cfif cgi.SCRIPT_NAME

RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...

2008-07-24 Thread Adrian Lynch
not ideal, but it works if you come across this problem. Adrian -Original Message- From: Experienced CF Developer [mailto:[EMAIL PROTECTED] Sent: 21 July 2008 22:32 To: CF-Talk Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... And for those of you who take this advice

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...

2008-07-24 Thread Claude Schneegans
Keywords and banning IPs by themselves are not the answer Exactly. But t helps to reduce the impact. There is no panacea, only a set of measures. -- ___ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send

RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...

2008-07-24 Thread Robert Harrison
Add one to the list. One of my old sites just got brought down. We restored the DB and fixed it. That lasted about 15 minutes. Now, how to deal with code fixing 40 old sites that we don't get paid maintenance for. ARRRGH! Robert B. Harrison Director of Interactive services Austin Williams

RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...

2008-07-24 Thread Dave Phillips
-Original Message- From: Adrian Lynch [mailto:[EMAIL PROTECTED] Sent: Thursday, July 24, 2008 8:34 AM To: CF-Talk Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... Dear Dave Phillips, you have made a generalisation and I have a dissenting opinion ;O) I use SELECT

RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...

2008-07-24 Thread Adrian Lynch
- From: Claude Schneegans [mailto:[EMAIL PROTECTED] Sent: 24 July 2008 14:54 To: CF-Talk Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... and Billy New-Developer comes along and decides that someOtherQuery.someOtherValue could really do with coming directly from the user

RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...

2008-07-24 Thread Andy Matthews
PROTECTED] Sent: Wednesday, July 23, 2008 5:15 PM To: CF-Talk Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... One of my websites got hit.. I always use cfqueryparam - at least for the last few years, but some old code (this website started with version 1 of CF) was still hanging

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...

2008-07-24 Thread Claude Schneegans
and Billy New-Developer comes along and decides that someOtherQuery.someOtherValue could really do with coming directly from the user? Will he add the cfqp if it's not already there? This is irrelevant, because: 1. if both fields are numeric, there is no possibility OtherQuery.someOtherValue

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...

2008-07-24 Thread Claude Schneegans
var listSQLInject = cast,exec,execute,sp_executeSQL,revoke,grant,select,insert,update,delete,dr op,--,'; Don't forget to include user in your list. The first thing hackers try generally is to get to your table of users and passwords. -- ___ REUSE CODE! Use

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...

2008-07-24 Thread James Holmes
Do you fully understand what cfqueryparam does when binding text parameters into the query? On Thu, Jul 24, 2008 at 9:54 PM, Claude Schneegans [EMAIL PROTECTED] wrote: 2. if both fields are text, CFQUERYPARAM won't detect anything harmful and won't help anyway. -- mxAjax / CFAjax docs and

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...

2008-07-24 Thread Claude Schneegans
Do you fully understand what cfqueryparam does when binding text parameters into the query? Yes, fully. I've designed CFX_ODBCinfo, and some other tools, and I'm pretty aware of the way ODBC or JDBC drivers work. This is precisely why I can say when it is useful and when it is not. --

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...

2008-07-24 Thread Claude Schneegans
But Billy has been told to turn: SET myValue = #someOtherQuery.someOtherValue# into: SET myValue = #FORM.someOtherValue# Then obviously, he should add CFQP to the line of code in the same time, what's the problem? My point is just that in some situations, CFQP is useless, of course, is you

RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...

2008-07-24 Thread Adrian Lynch
Try telling that to Billy, he just got fired! -Original Message- From: Claude Schneegans [mailto:[EMAIL PROTECTED] Sent: 24 July 2008 15:58 To: CF-Talk Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... Do you fully understand what cfqueryparam does when binding text

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...

2008-07-24 Thread Jim Wright
On Thu, Jul 24, 2008 at 10:52 AM, Claude Schneegans [EMAIL PROTECTED] wrote: It may be a silly question, but why a SELECT * will brake because an unused column was dropped? It shouldn't make a difference if the SELECT * is in a cfquery (though that is bad practice, too), but if it is in a

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...

2008-07-24 Thread Claude Schneegans
In our case, what happened was that we dropped a column that hadn't been in use for awhile, and everything broke because of the SELECT * and cfqueryparam. It may be a silly question, but why a SELECT * will brake because an unused column was dropped? -- ___

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...

2008-07-24 Thread Claude Schneegans
It shouldn't make a difference if the SELECT * is in a cfquery I see. A very particular situation though. It will not prevent me from using SELECT * when I need all fields. This is more efficient than list all of them. On the opposite, using SELECT * just to get a record count is the worse

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...

2008-07-24 Thread James Holmes
So you know that it *always* prevents SQL injection in a standard query (select, update or delete). That's a good enough reason to always use it for me. On Thu, Jul 24, 2008 at 10:58 PM, Claude Schneegans [EMAIL PROTECTED] wrote: Do you fully understand what cfqueryparam does when binding text

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...

2008-07-24 Thread James Holmes
This is not the only case. If you use pooled statements on the datasource (which is a default for CF) you can demonstrate another case: Create a table. Select * from it in a CF template. Add a column to the table in the DB. Run the same template again. See the problem. On Thu, Jul 24, 2008 at

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...

2008-07-24 Thread Claude Schneegans
So you know that it *always* prevents SQL injection in a standard query (select, update or delete). Really? Can you give an example of injection that will be prevented? -- ___ REUSE CODE! Use custom tags; See

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...

2008-07-24 Thread James Holmes
I'll say it again. ANY string passed into cfqueryparam cannot be executed as SQL: select somecolumn from sometable where someothercolumn = cfqueryparam cfsqltype=varchar value=URL.TryToHackThis It is irrelevant what gets passed in the URL.TryToHackThis; it cannot be executed as a SQL statement.

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...

2008-07-24 Thread James Holmes
Obviously cfsqltype=varchar should be cfsqltype=cf_sql_varchar (my typo). On Thu, Jul 24, 2008 at 11:55 PM, James Holmes [EMAIL PROTECTED] wrote: I'll say it again. ANY string passed into cfqueryparam cannot be executed as SQL: select somecolumn from sometable where someothercolumn =

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...

2008-07-24 Thread James Holmes
Jeez, and value=URL.TryToHackThis should be value=#URL.TryToHackThis# That's what I get for answering at midnight. On Thu, Jul 24, 2008 at 11:57 PM, James Holmes [EMAIL PROTECTED] wrote: Obviously cfsqltype=varchar should be cfsqltype=cf_sql_varchar (my typo). On Thu, Jul 24, 2008 at 11:55

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...

2008-07-24 Thread Claude Schneegans
ANY string passed into cfqueryparam cannot be executed as SQL: Is it really possible to get an SQL statement executed from a string for a text field without closing the string first with an apostrophe? -- ___ REUSE CODE! Use custom tags; See

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...

2008-07-24 Thread Claude Schneegans
Jeez, and value=URL.TryToHackThis should be value=#URL.TryToHackThis# so you see that CFQP is not that easy to use ;-)) -- ___ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...

2008-07-24 Thread Brad Wood
: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... ANY string passed into cfqueryparam cannot be executed as SQL: Is it really possible to get an SQL statement executed from a string for a text field without closing the string first with an apostrophe

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...

2008-07-24 Thread Claude Schneegans
Closing the apostrophe is exactly how SQL injection occurs with text field Ok, you got it! BUT CFQUERY will escape that apostophe anyway, so that the SQL injection will just be part of the string stored in the field either you use CFQP or not. -- ___ REUSE

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...

2008-07-24 Thread Brad Wood
-talk@houseoffusion.com Sent: Thursday, July 24, 2008 11:32 AM Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... Closing the apostrophe is exactly how SQL injection occurs with text field Ok, you got it! BUT CFQUERY will escape that apostophe anyway, so that the SQL injection

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...

2008-07-24 Thread Claude Schneegans
Not if you use MySQL. That DBMS allows for an alternative way to escape those with a backslash. Ok, then lets say that CFQP should alway be used with MySQl... .. and you haven't turned off MySQL's default ways of escaping those ticks ... IF you have not turn off MySQL's default ways of

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...

2008-07-24 Thread Radek Valachovic
Do you think when I am using cfqueryparams for example with numbers like this is secured?: SELECT * FROM product WHERE productoid=cfqueryparam value=#url.productoid# cfsqltype=CF_SQL_INTEGER maxlength=6 Another example I am thinking worse is with text, I made it like this: SELECT * FROM item

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...

2008-07-24 Thread Brad Wood
: Radek Valachovic [EMAIL PROTECTED] To: CF-Talk cf-talk@houseoffusion.com Sent: Thursday, July 24, 2008 12:12 PM Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... Do you think when I am using cfqueryparams for example with numbers like this is secured

RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...

2008-07-24 Thread Mark Kruger
(402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -Original Message- From: Radek Valachovic [mailto:[EMAIL PROTECTED] Sent: Thursday, July 24, 2008 12:12 PM To: CF-Talk Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... Do you think when I am

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...

2008-07-24 Thread Brad Wood
That's fair enough from a security stand point, but I still use cfqueryparam with MS SQL for performance reason. When your database executes a SQL statement, it generates an execution plan that best fits that statement and it caches that plan in memory for later use (so it doesn't have to be

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...

2008-07-24 Thread Radek Valachovic
] To: CF-Talk cf-talk@houseoffusion.com Sent: Thursday, July 24, 2008 12:12 PM Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... Do you think when I am using cfqueryparams for example with numbers like this is secured

RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...

2008-07-24 Thread Mark Kruger
To: CF-Talk Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... Using CFQUERYPARAM will secure your DB calls. That doesn't mean you don't have other problems. But it does mean that executing arbitrary code against the DB using user inputs (form, url, cookie) is no longer possible

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...

2008-07-24 Thread Claude Schneegans
When your database executes a SQL statement, it generates an execution plan that best fits that statement and it caches that plan in memory for later use. Ok, this is another example where CFQP is useful, as the doc says. But if the query is not likely to be executed often, which is the case

RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...

2008-07-24 Thread Dave Watts
Ok, this is another example where CFQP is useful, as the doc says. But if the query is not likely to be executed often, which is the case with small sites, generating the execution plan might represent an overhead on the contrary. (just assuming, I have not run tests, and I don't really

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...

2008-07-24 Thread Charlie Griefer
On Thu, Jul 24, 2008 at 10:48 AM, Radek Valachovic [EMAIL PROTECTED] wrote: Yeah I was reading in the forum this one, that using SELECT * is not good, can u explain why on short example? What is Pro and Cons what other type of security it gonna give me? Thanks Not using SELECT * is more of a

RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...

2008-07-24 Thread Dave Watts
A very particular situation though. It will not prevent me from using SELECT * when I need all fields. This is more efficient than list all of them. It may be more efficient for you as you type them out, but it will be less efficient for your database, which has to figure out what *

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...

2008-07-24 Thread Claude Schneegans
If you don't really care I don't really care measuring the difference it makes, because it must certainly be marginal, and it is not because I don't care the difference it can made that I cannot make a comment about it. -- ___ REUSE CODE! Use custom tags;

RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...

2008-07-24 Thread Dave Watts
It may be a silly question, but why a SELECT * will brake because an unused column was dropped? For the same reason that SELECT * will break if you use it in a view, run the view, then change the underlying schema. The * gets dereferenced to actual columns in the execution plan, which gets

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...

2008-07-24 Thread Claude Schneegans
it's safe to say that avoiding * is a good idea, Now that's the kind of statement I prefer: a good idea, better than *always* or *never* :-) -- ___ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any

RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...

2008-07-24 Thread Ben Forta
Fine, it's always a good idea to never use * ;-) --- Ben -Original Message- From: Claude Schneegans [mailto:[EMAIL PROTECTED] Sent: Thursday, July 24, 2008 2:13 PM To: CF-Talk Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... it's safe to say that avoiding

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...

2008-07-24 Thread Jim Wright
On Thu, Jul 24, 2008 at 11:20 AM, Claude Schneegans [EMAIL PROTECTED] wrote: A very particular situation though. Perhaps, but the following demonstrates how this kind of issue can be even more problematic when the table is changed in such a way that no error is thrown by the view... CREATE

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...

2008-07-24 Thread Radek Valachovic
What would you suggest for this kind of thing: Select USERID from users where email = '#trim(arguments.email)#' and password = '#trim(arguments.password)#' Something like this? Select USERID from users where email = cfqueryparam value=#trim(arguments.email)# cfsqltype=CF_SQL_VARCHAR

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...

2008-07-24 Thread Brad Wood
This is starting to sound like a bad multiple choice question from a college final... :) ~Brad - Original Message - From: Ben Forta [EMAIL PROTECTED] To: CF-Talk cf-talk@houseoffusion.com Sent: Thursday, July 24, 2008 1:15 PM Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My

  1   2   3   >