On Mon, May 2, 2011 at 11:48 AM, Mike Kear wrote:
Thankfully I'd heeded good advice and
used cfqueryparam on all the queries in that site and nothing they
tried worked. They were submitting urls with parameters like :
: Mark A. Kruger [mailto:mkru...@cfwebtools.com]
Sent: Monday, May 02, 2011 4:28 PM
To: cf-talk
Subject: RE: Bless cfqueryparam - helped defend against a persistent hack
attempt
I almost always see a significant gain in query performance - at least on
all versions of MSSQL - as much as 20-30 percent
You forgot a round in there too. ;)
On Mon, May 2, 2011 at 9:10 PM, Justin Scott leviat...@darktech.org wrote:
of course). If I have a numeric ID, I'm going to
min(abs(val(trim(url.id))), 200) that variable before it ever
makes it to the query (forces a positive in-range integer or
Right.
However about CFQUERYPARAM, keep in mind that:
- this will prevent SQL injection, not all form of attacks;
- CFQUERYPARAM makes all values look like parameter 1... in the error
messages, instead of the real values, not really handful when debugging;
- CFQUERYPARAM makes all queries more
- CFQUERYPARAM makes all values look like parameter 1... in the error
messages, instead of the real values, not really handful when debugging;
- CFQUERYPARAM makes all queries more difficult to write AND to read for
programmers;
Are you implying that cfqueryparam _shouldn't_ be used for
Are you implying that cfqueryparam _shouldn't_ be used for these reasons??
No, I'm just saying that there are better and more efficient ways of fighting
attacks.
I use cfqueryparam on some occasions, but not everywhere blindly.
- CFQUERYPARAM makes all queries more difficult to write AND to read for
programmers;
I couldn't disagree more with this statement. Aside from the protection
benefits, the use of cfqueryparam creates bound sql parameters, which improve
query performance. I don't disagree with your suggestion
- CFQUERYPARAM makes all values look like parameter 1... in the error
messages, instead of the real values, not really handful when debugging;
There are parsers that will show the actual queries with values. My favorite
is the one that Ben Nadel wrote. It is a little JS bookmark widget.
-
In case anyone is interested. This is the JS bookmark widget that parses
Queryparam debugging info. Very handy.
http://www.bennadel.com/blog/459-Merging-ColdFusion-SQL-Debugging-And-Query-Params-With-Javascript.htm
HTH
G!
On Mon, May 2, 2011 at 9:14 AM, Gerald Guido gerald.gu...@gmail.com
Ok. I'll respect your opinion.
But for anyone new to CF that may read this, I don't believe there is a
debate about using cfqueryparam. My impression is that the settled majority
best practice is to use it blindly, use it everywhere rather than not use
it, or use it sparingly, or not use it
Just for the record, I use other techniques to protect my sites too
but in this case, i was outlining what saved me in this case.
Clearly there are a bazillion ways nasty people can do damage or
exploit weaknesses in sites.
In this case, I was grateful that I hadn't given in to the temptation
to
As an interesting aside, the same ip address started trying to probe
my mail server a few minutes ago, and my version of cfformprotect
picked it up and added the ip address to the banned ips. Now that
same ip address is banned from using any forms on any site I
administer.
Again, they get no
Mike, out of curiosity, what seems to be motivating these attacks? Malware
injections? Hacker cred? Revenge or grudge? Or just to vandalize and do
damage? It seems like a LOT of effort. I am also surprised that they are
using the same IP for so long and not changing proxies.
Thanx
G!
On Mon,
I dont know what the motivation is. All I've seen is repeated
attempts to inject stuff into the database - never getting anywhere.
So that means all the attempts so far are simply attempts to get at
passwords or schema. I'm supposing once they get a look at the
database they'll be able to
However about CFQUERYPARAM, keep in mind that:
- this will prevent SQL injection, not all form of attacks;
- CFQUERYPARAM makes all values look like parameter 1... in the error
messages, instead of the real values, not really handful when debugging;
- CFQUERYPARAM makes all queries more
The site is still running happily now, after about 8 hours of this. I
don't know why they persisted for that long with no result - I would
have thought there were other targets they could go for if they're
getting no result here.
Chances are, it was an automated attack - the attacker might
cfqueryparam creates bound sql parameters, which improve query performance.
This is purely theoretical, in practice, the gain in performance is neglectible.
I prefer have a query to take 11 ms and see the values submitted in case of
error, than having the same query take 10 ms, but no
And we prefer to hack Schneegans apps. :D
On Mon, May 2, 2011 at 1:10 PM, wrote:
cfqueryparam creates bound sql parameters, which improve query
performance.
This is purely theoretical, in practice, the gain in performance is
neglectible.
I prefer have a query to take 11 ms and see the
On Mon, May 2, 2011 at 11:10 AM, wrote:
cfqueryparam creates bound sql parameters, which improve query performance.
This is purely theoretical, in practice, the gain in performance is
neglectible.
I prefer have a query to take 11 ms and see the values submitted in case of
error, than
cfqueryparam creates bound sql parameters, which improve query performance.
This is purely theoretical, in practice, the gain in performance is
neglectible.
I prefer have a query to take 11 ms and see the values submitted in case of
error, than having the same query take 10 ms, but no
[mailto:dwa...@figleaf.com]
Sent: Monday, May 02, 2011 1:54 PM
To: cf-talk
Subject: Re: Bless cfqueryparam - helped defend against a persistent hack
attempt
cfqueryparam creates bound sql parameters, which improve query
performance.
This is purely theoretical, in practice, the gain in performance
I generally see a pretty significant gain on Oracle as well.
Thanks,
Eric Cobb
http://www.cfgears.com
Help me make a difference this summer - http://bit.ly/i8dJvQ
On 5/2/2011 3:27 PM, Mark A. Kruger wrote:
I almost always see a significant gain in query performance - at least on
all
Sure, your MS Access DB doesn't cache execution plans, but real databases do.
On Tuesday, 3 May 2011, wrote:
cfqueryparam creates bound sql parameters, which improve query performance.
This is purely theoretical, in practice, the gain in performance is
neglectible.
I prefer have a
On Mon, May 2, 2011 at 2:10 PM, wrote:
cfqueryparam creates bound sql parameters, which improve query
performance.
This is purely theoretical, in practice, the gain in performance is
neglectible.
I prefer have a query to take 11 ms and see the values submitted in case of
error, than
Yes, your error messages may need some help, but a combination
of usage and proper error handling (too often ignored) can go a long
way towards saving your bacon.
Perhaps I'm going a little overboard, but my personal philosophy is
that it shouldn't be possible for an end-user to generate a
25 matches
Mail list logo