There is an express version of Management Studio you can use for free.
The biggest limitation to me was that you can't have a database larger
than 4 Gigs. If you have a larger database, fork over the 50 bucks.
~Brad
Original Message
Subject: Re: SQL Server on development box
-Original Message-
From: RobG [mailto:[EMAIL PROTECTED]
Sent: Wednesday, October 08, 2008 12:15 PM
To: cf-talk
Subject: Re: SQL Server on development box?
I thought MSSQL Express (developer) edition was free?
Rob
I second this - the Express version is limited, but not stripped
absolute best-of-breed management tools
The only issue I really had with the express MSSQL Management Studio is the
lack of import/export functionality. If you have a license for MSSQL 2005
you should be able to install the Management Studio that came with the
server.
On Wed, Oct 8, 2008 at
-Original Message-
From: Gerald Guido [mailto:[EMAIL PROTECTED]
Sent: Wednesday, October 08, 2008 6:19 PM
To: cf-talk
Subject: Re: SQL Server on development box?
absolute best-of-breed management tools
The only issue I really had with the express MSSQL Management Studio
Thanx Jim. Awesome resource!!
~G~
On Wed, Oct 8, 2008 at 7:19 PM, Jim Davis [EMAIL PROTECTED]wrote:
-Original Message-
From: Gerald Guido [mailto:[EMAIL PROTECTED]
Sent: Wednesday, October 08, 2008 6:19 PM
To: cf-talk
Subject: Re: SQL Server on development box?
absolute
Assuming your PK is named customerID you can do the following:
SELECT mytable.lastname, mytable.firstname, mytable.city, mytable.state
FROM mytable
WHERE mytable.customerID in (select min(customerID) from mytable group by email)
There is at least one problem in your query. The in () statement is
To view all your records with duplicate email addresses,
you might try something like this:
cfquery name=select_distinct_email datasource=dsn
select distinct email
from mytable
/cfquery
cfloop query=select_distinct_email
cfquery
Well I got this up and running through ODBC but unforunately when I did
Transfer ORM, which I'm using to manage my DAO, throws an error message.
How do permissions work in SQL Server in terms of CF. From what I can all I
need is the datawriter and datareader roles applied to that user. This is
On Tue, Sep 16, 2008 at 8:58 AM, Jeff F [EMAIL PROTECTED] wrote:
I've got a table (MySQL) with about 20k records. I'd like to be able to get
all fields from the table with distinct email addresses. Essentially, I'm
weeding out records with duplicate email addresses.
What I'm trying does not
# #state#br
br
/cfoutput
/cfloop
-Original Message-
From: Rick Faircloth [mailto:[EMAIL PROTECTED]
Sent: Tuesday, September 16, 2008 9:42 AM
To: CF-Talk
Subject: RE: SQL Help
To view all your records with duplicate email addresses,
you might try something like
Jim,
At first glance that seems to work, however the recordcounts appear to be off.
What I did was a simple query to find the total number of distinct email
addresses:
SELECT distinct mytable.email
FROM mytable
I get 19588 as a recordcount.
When I run
SELECT mytable.lastname,
On Tue, Sep 16, 2008 at 10:13 AM, Jeff F [EMAIL PROTECTED] wrote:
SELECT distinct mytable.email
FROM mytable
I get 19588 as a recordcount.
This number would include email addresses that are duplicated in the
table (but only a count of 1 for each distinct address).
SELECT
Thanks Jim. Now I see.
I guess what I'm looking for would be something like this then:
SELECT mytable.lastname,mytable.email
FROM mytable GROUP BY mytable.email HAVING distinct(mytable.email)
Which of course does not work. When there are records with duplicate emails
addresses, I need
Are the other fields in your table the same when the email is the same?
Meaning, are the records really duplicate? Or is it just the email that is
duplicate and the other fields may have varying values for two rows that
have the same email? If they do vary, do you care which of the duplicate
rows
When there are records with duplicate
emails addresses, I need to include one of them.
So you are trying to display one record for each email address?
You could try something like this. Not tested, but the idea is to select a
single PK for each email. Then use a JOIN to display the details
You could try something like this. Not tested, but the idea is to
select a single PK for each email. Then use a JOIN to display the
details for those PK's.
Note, the previous query assumes it does not matter which record is returned.
The records are from contest entries. People can only enter with one email
address. Some people entered multiple times, using the same email address.
I need to get a record set used to pick a winner, including just one of the
records from the duplicate email entries.
I need to get a record set used to pick a winner, including just one
of the records from the duplicate email entries.
If it does not matter which one, try the query I posted in my first response.
The syntax is not tested, but it has the right concept.
The records are from contest entries. People can only enter with one email
address. Some people entered multiple times, using the same email address.
I need to get a record set used to pick a winner, including just one of the
records from the duplicate email entries.
The records are from contest entries. People can only enter with one email
address. Some people entered multiple times, using the same email address.
So, why all the complexity with joins and subqueries? Just...
SELECT DISTINCT email FROM sometable
then pick a winner from the list of
It also begs the question, if they were only supposed to have one
entry
per e-mail address, why wasn't there error checking or a constraint on
the table to force this in the first place?
True enough. I was thinking the same thing myself ;-)
Just got nailed myself - dammit - 15 years of knowledge.
Have code reviewed and wasn't my CFML (at this stage) so maybe a new IIS
vulnerability? My attack occured recently - possibly in the last 24 hours or
so. Have disabled the database and CFABORTed any code that interacts with the
database
Have code reviewed and wasn't my CFML (at this stage) so
maybe a new IIS vulnerability?
I seriously doubt this has anything to do with IIS, since IIS can't interact
directly with your database.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Software provides the highest
Open the website log with word and do a search for DECLARE
you will find a lot of entries..
Look for a filename that is in a different directory than what you
expected.. I think I got hit from a template that was in an old,
unused directory from many years ago. I recently went through
On Tue, Aug 26, 2008 at 4:46 AM, Peter Tilbrook wrote:
Just got nailed myself - dammit - 15 years of knowledge.
There are at least 2 tools available that will search through your
code looking for unparamed variables, and I think Larry posted a
simple regex that you could use from within Eclipse.
It doesn't work with stored procedures (which shouldn't
matter, 'cause I think they are type-checked by the DB first
anyways)
Well, not necessarily. As Mark pointed out when this thread started - it
feels like it was long, long ago - if you're calling a stored procedure from
CFQUERY you have
On Tue, Aug 26, 2008 at 2:01 PM, Dave Watts wrote:
It doesn't work with stored procedures (which shouldn't
matter, 'cause I think they are type-checked by the DB first
anyways)
Well, not necessarily. As Mark pointed out when this thread started - it
feels like it was long, long ago - if
PM
Subject: Re: SQL injection attack on House of Fusion
On Tue, Aug 26, 2008 at 2:01 PM, Dave Watts wrote:
It doesn't work with stored procedures (which shouldn't
matter, 'cause I think they are type-checked by the DB first
anyways)
Well, not necessarily. As Mark pointed out when this thread
On Tue, Aug 26, 2008 at 5:42 PM, Brad Wood wrote:
That is, unless you concatenate SQL in your stored procedure.
http://www.codersrevolution.com/index.cfm/2008/7/22/When-will-cfqueryparam-NOT-protect-me
Perfect example, thanks!
Yeah, dunno what I was thinking... parsing that stuff would be not
On Sun, Aug 17, 2008 at 10:43 AM, Jochem wrote:
denstar wrote:
Or maybe you've got a simple solution, to how one would limit URL
requests to only allowable values?
I don't think simple solutions exist. The closest I have seen that still
was simple yet appeared to be somewhat effective was a
On Wed, Aug 20, 2008 at 4:37 PM, Dave Watts wrote:
Your main concern is not the consumption of resources as a result of an
automated attack. That's just like any other denial of service attack,
basically. If you can filter it out successfully, that's good for you, but
you should be far
Mary Jo,
I've done some additional testing and have found that the prior version of the
SQL Injection Blocker does better when challenged with the HP Scrawlr testing
tool then the newest version. Rolling back to the prior release also solved the
false positive problem for the three towns
I've done some additional testing and have found that the prior
version of the SQL Injection Blocker does better when challenged with
the HP Scrawlr testing tool then the newest version. Rolling back to
the prior release also solved the false positive problem for the three
towns mentioned
I've upgraded to the latest version of Mary Jo's tool to filter attempts at SQL
injection. It works well, but I found three interesting false positives today.
My site has community profiles for cities and towns. The URL for these profiles
includes the county name as well as the city or town
Can anyone suggest a modification to the code
that would eliminate the false positives without substantially
weakening the filter?
The one in there now is by Luis Melo and his email is in the credits. You might
want to send them along to him as I know he plans to work more on reducing the
My site has community profiles for cities and towns. The URL for these
profiles includes the county name as well as the city or town name.
There are Union counties in North Carolina, New Jersey and Ohio.
Or...maybe you could just get the states to rename that county. ;-)
Funny,
I went to high school with him. Had a comp sci class with him where he
spent quite a bit of time trying to get passwords from unsuspecting people.
-Original Message-
From: Mike Kear [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 20, 2008 6:33 PM
To: CF-Talk
Subject: Re: SQL
I am still getting around 50 to 75 attacks a day on about 20 of my websites. I
applied the solution from JOCHEM that aborts the attach in the application.cfm
file and then sends me an email.
They just keep coming from different IP addresses so it is useless to do
anything other than wait for
I also had a concern about thread safety; it's caching the java.util.
regex.Matcher object in Application scope, and calling Application.
injChecker.reset(testvar) for each url/form/etc variable -- seems like
Matcher.reset() changes state of the cached Matcher object?
Thanks for pointing
what is going on and what is best to do.
Does this thing just raise it's ugly head every now and then and go away for a
while? This is the first I have seen of it on my server.
Thanks in advance,
~David G. Moore, Jr.
UpstateWeb, LLC Subject: Re: SQL injection attack on House of Fusion
I am currently using the SQLprev.cfm from Jochem to stop the onslaught
of superfluous bandwidth suckage from my server, but was wondering
what the difference would be with this one.
Since I am not familiar with his, I cannot say what the difference would be. I
did include URL, form, cookie
I am currently using the SQLprev.cfm from Jochem to stop the onslaught of
superfluous bandwidth suckage from my server, but was wondering what the
difference would be with this one. I am not looking to start a my SQL
Injection blocker is better than yours, yet trying to educate myself on
use? I have never seen
cfqueryparam used on any tags I have purchased or exchanged and I am afraid
all I know is what I have learned from books and forums. This is the first I
have ever heard of using cfqueryparam.
~David G. Moore, Jr. Subject: Re: SQL injection attack on House of Fusion
From
When you say Update Your Code, are you saying using cfqueryparam?
Yes, that's what he is saying.
so, go back and fix 1,000's of lines
of code I have developed over the last 'upteen' years or stop it
before it starts?
Because if you don't, you are putting a LOT of faith in these
David Moore, Jr. wrote:
Not trying to pick a fight, becuase I am sure you have forgotten more code
than I will ever know (seriously) and I am probably just being lazy
(seriously), but is cfqueryparam something a lot of programmers really use?
I have never seen cfqueryparam used on any tags
Not trying to pick a fight, becuase I am sure you have forgotten more code
than I will ever know (seriously) and I am probably just being lazy
(seriously), but is cfqueryparam something a lot of programmers really
use? I have never seen cfqueryparam used on any tags I have purchased
or
learned a lot.
~David G. Moore, Jr. Subject: Re: SQL injection attack on House of Fusion
From: [EMAIL PROTECTED] To: cf-talk@houseoffusion.com Date: Wed, 20 Aug 2008
14:35:19 -0700 Not trying to pick a fight, becuase I am sure you have
forgotten more code than I will ever know (seriously
When you say Update Your Code, are you saying using cfqueryparam? But
even so, the SQL injection still will use up countless resources instead of
cutting it off early. So, go back and fix 1,000's of lines of code I have
developed over the last 'upteen' years or stop it before it starts? Is
As someone who was hit by the attack on the first day. I will say I've
used cfqueryparam for years and yet I had a handful of pages with old
code where I was not using cfqueryparam. It just takes one page that's
publically accessible to do damage. Once I fixed the pages in question,
try as
Does this thing just raise it's ugly head every now and then
and go away for a while? This is the first I have seen of it
on my server.
This is the first large-scale automated SQL injection attack. Automated
attacks have been around for a long time, as have SQL injection attacks.
Honestly,
nother Post
Thanks everyone!
~David G. Moore, Jr.
P.S. Speaking of Smack Down's. Mary Jo's got a great right cross :) Go get'em
girl! Subject: Re: SQL injection attack on House of Fusion From: [EMAIL
PROTECTED] To: cf-talk@houseoffusion.com Date: Wed, 20 Aug 2008 17:41:12
-0400 When
. This is the first I have ever heard of using cfqueryparam.
~David G. Moore, Jr. Subject: Re: SQL injection attack on House of Fusion
From: [EMAIL PROTECTED] To: cf-talk@houseoffusion.com Date: Wed, 20 Aug
2008 17:01:42 -0400 I am currently using the SQLprev.cfm from Jochem to
stop
, 2008 4:59 PM
To: CF-Talk
Subject: RE: SQL injection attack on House of Fusion
Does this thing just raise it's ugly head every now and then and go
away for a while? This is the first I have seen of it on my server.
This is the first large-scale automated SQL injection attack. Automated
attacks
Eric,
A good answer might be it is now :)
-Original Message-
From: Eric Cobb [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 20, 2008 4:59 PM
To: CF-Talk
Subject: Re: SQL injection attack on House of Fusion
is cfqueryparam something a lot of programmers really use?
Only
to this one? I am pretty sure I am
about to get another SMACK DOWN... Subject: RE: SQL injection attack on House
of Fusion From: [EMAIL PROTECTED] To: cf-talk@houseoffusion.com Date: Wed,
20 Aug 2008 17:59:23 -0400 Does this thing just raise it's ugly head every
now and then and go away for a while
Well, it is my goal :) not there yet... Subject: Re: SQL injection attack on
House of Fusion From: [EMAIL PROTECTED] To: cf-talk@houseoffusion.com Date:
Wed, 20 Aug 2008 16:59:26 -0500 is cfqueryparam something a lot of
programmers really use? Only the good ones. ;) Thanks, Eric
David
the ropes and into the first row of chairs! (Yes, I am from the South and
everything references Wrestling or Nascar)
~David Subject: Re: SQL injection attack on House of Fusion From: [EMAIL
PROTECTED] To: cf-talk@houseoffusion.com Date: Wed, 20 Aug 2008 16:59:26
-0500 is cfqueryparam something
I certainly don't feel picked on. I feel blessed to have a place where I can
learn from people who do know so much. And you are right. I (we) only seem to
learn under fire. I am a one man business owner in a small town with limited
resources and time. 10 hour days, work weekends, what is
So, I have found like the Mother Load of good programmers who really care
about Cold Fusion and take the time to do it right?
Pretty much. The skill level on the list varies from can express the
meaning of life in ColdFusion to what's a database so your experience
may vary. I'd like to
. :)
As for the can o' worms. If you're ever in Spartanburg, SC, just bring 'em
along and I can show you some really nice fishin!
Seriously, thanks everyone!
~David G. Moore, Jr. Subject: Re: SQL injection attack on House of Fusion
From: [EMAIL PROTECTED] To: cf-talk@houseoffusion.com Date: Wed, 20 Aug 2008
18
When you say Update Your Code, are you saying using
cfqueryparam?
Yes. That is the only mechanism guaranteed to prevent known and future SQL
injection attacks. Using a filter can protect you from the current attack
long enough for you to fix your broken code.
But even so, the SQL injection
A while ago I read a totally rivetting book called The Art Of
Intrusion by Kevin D Mitnick, the legendary hacker who was sent to
jail for his intrusion exploits.He runs a security company now,
that tests you security and reports back on how well you've done.
He says one of the most common
Don't feel bad, David. I am a freelance CF programmer. I spend most
of my time working on bug fixes or feature enhancements on code
written by others.And the vast majority of files I work on have no
cfqueryparam.
Most of the code I work on really needs re-writing from scratch it's
so
P.S. Speaking of Smack Down's. Mary Jo's got a great right cross :) Go
get'em girl!
LOL, actually I am a pacifist at heart and always try to not lose my temper
(serves me well with customers, particularly the endlessly annoying ones!)
As for not knowing what cfqueryparam is and how to
Eric is pretty good at the Smack Down too, Eric The Great takes David
the Geek over the ropes and into the first row of chairs! (Yes, I am
from the South and everything references Wrestling or Nascar)
Here's another smack down for youit would be nice if you could remove all
the extra
Mary Jo,
Sorry. Didn't see all that. First time using this kind of post. Here's
another smack down for youit would be nice if you could remove all the
extra quoted stuff on your poststake a look at the online web archives, it
really makes a mess of the thread! Will do better in the
Actually I am a pacifist at heart and always try to not lose my temper (serves
me well with customers, particularly the endlessly annoying ones!)
LOLOL. I am actually a moderately conservative liberal. I believe in loosing my
temper only when I know I can't find it.
As for not knowing what
David Moore, Jr. wrote:
I am currently using the SQLprev.cfm from Jochem
The what from whom?
Jochem
~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
OK. I thought it was from you. I was sent an email with the link to SQLprev.cfm
in an email and they referenced I use your suggestion in the email as well. I
stuck the two together. David Moore, Jr. wrote: I am currently using the
SQLprev.cfm from Jochem
Jochem Wrote? The what from
: Re: SQL injection attack on House of Fusion
Bobby, what have you been using to look up the origin of the IPs en masse?
I found a site that let's me do a handful at a time, but I don't know how
accurate the data it. It is saying the majority of my IPs originated from
the US.
~Brad
and totally insensitive analogy, the likes of which I
hope we never see on this list again.
Enough
-Original Message-
From: Mark Kruger [mailto:[EMAIL PROTECTED]
Sent: 11 August 2008 16:24
To: CF-Talk
Subject: RE: SQL injection attack on House of Fusion
Rick,
While your argument
Hello folks:
I am sorry about the thread jump here, but any ASP gurus out there on this
discussion list?
In the past week, I have been fanatically patching our old CF code and
applying CFQUERYPARAM wherever it applies. Additionally, I also implemented
the SQL Injection Blocker written by
What is the ASP equivalent of CFQUERYPARAM?
http://prepared-statement.blogspot.com/
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore,
Neat! Thanks Dave.
On Tue, Aug 19, 2008 at 11:54 AM, Dave Watts [EMAIL PROTECTED] wrote:
What is the ASP equivalent of CFQUERYPARAM?
http://prepared-statement.blogspot.com/
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Software provides the highest caliber
: Tuesday, August 19, 2008 11:33 AM
Subject: Re: SQL injection attack on House of Fusion
Neat! Thanks Dave.
On Tue, Aug 19, 2008 at 11:54 AM, Dave Watts [EMAIL PROTECTED] wrote:
What is the ASP equivalent of CFQUERYPARAM?
http://prepared-statement.blogspot.com
denstar wrote:
On Sat, Aug 16, 2008 at 6:15 AM, Jochem van Dieten wrote:
I haven't mentioned this before because I do believe that filtering
request URLs is the wrong approach
Care to elaborate on this?
Filtering means allow unless it matches. A security measure should be
deny unless it
Mobile: 0404 998 273
-Original Message-
From: denstar [mailto:[EMAIL PROTECTED]
Sent: Sunday, 17 August 2008 2:34 PM
To: CF-Talk
Subject: Re: SQL injection attack on House of Fusion
On Sat, Aug 16, 2008 at 10:04 PM, Andrew Scott wrote:
Well at the end of the day, I am currently using
On Sun, Aug 17, 2008 at 2:08 AM, Jochem van Dieten wrote:
denstar wrote:
On Sat, Aug 16, 2008 at 6:15 AM, Jochem van Dieten wrote:
I haven't mentioned this before because I do believe that filtering
request URLs is the wrong approach
Care to elaborate on this?
Filtering means allow unless
PM
To: CF-Talk
Subject: RE: SQL injection attack on House of Fusion
Rick,
I think it is only a matter of time, I only have one ColdFusion website that
is on a shared server/public. I have been through the attacks, but when
speaking with the hosting provider I think they started to put
Aegeon Pty. Ltd.
www.aegeon.com.au
Phone: +613 9015 8628
Mobile: 0404 998 273
-Original Message-
From: Rick Faircloth [mailto:[EMAIL PROTECTED]
Sent: Sunday, 17 August 2008 10:16 PM
To: CF-Talk
Subject: RE: SQL injection attack on House of Fusion
Andrew,
I need to check with my
But hey I am not complaining...
Who are you, and why are you using Andrew's email address?
-Original Message-
From: Andrew Scott [mailto:[EMAIL PROTECTED]
Sent: Sunday, August 17, 2008 5:19 AM
To: CF-Talk
Subject: RE: SQL injection attack on House of Fusion
LoL...
At the end
Filtering means allow unless it matches. A security
measure should be deny unless it matches.
I believe that depends on the proportion of wanted vs. unwanted items. On a
firewall, this is the best approach because there are far more ports that
you don't want to have available than there are
denstar wrote:
On Sun, Aug 17, 2008 at 2:08 AM, Jochem van Dieten wrote:
denstar wrote:
On Sat, Aug 16, 2008 at 6:15 AM, Jochem van Dieten wrote:
I haven't mentioned this before because I do believe that filtering
request URLs is the wrong approach
Care to elaborate on this?
Filtering means
On Fri, Aug 15, 2008 at 10:58 PM, Mark Mandel wrote:
What I'm curious about, is that there seems to be noone you can report this
to?
Well, I'm pretty sure there is something we could do, but the general
attitude seems to be to just suck it up.
And buy some stocks in the tech
On Fri, Aug 15, 2008 at 11:56 PM, Brad Wood [EMAIL PROTECTED] wrote:
They completely stopped on the 11th, but they are back to day spelling it
like DeCLARE.
We're seeing the same - we're using RegExp to pick 'em up now.
--
mac jordan
www.webhorus.net | www.reactivecooking.com |
Mark Mandel wrote:
What I'm curious about, is that there seems to be noone you can report this
to?
You can report it to the abuse department of the ISP of the originating
IP. Just look up the IP delegation and the abuse address is usually
right there.
Jochem
:37 PM
To: CF-Talk
Subject: Re: SQL injection attack on House of Fusion
Mark Mandel wrote:
What I'm curious about, is that there seems to be noone you can report
this to?
You can report it to the abuse department of the ISP of the originating
IP. Just look up the IP delegation and the abuse
Andrew Scott wrote:
Ever heard of IP spoofing? Sure you need to complain about it, but the one
thing they need to do is track the packets.
IP spoofing is really only a significant problem with UDP. With TCP any
decent ISP will catch spoofs in their egress filters. Even your cheap,
Taiwanese
-
From: Jochem van Dieten [mailto:[EMAIL PROTECTED]
Sent: Saturday, 16 August 2008 10:15 PM
To: CF-Talk
Subject: Re: SQL injection attack on House of Fusion
Andrew Scott wrote:
Ever heard of IP spoofing? Sure you need to complain about it, but the one
thing they need to do is track the packets
Andrew Scott wrote:
I believe IP spoofing is still a huge problem. I know little about it, so no
more comment on that but a quick google shows that it is still a huge
problem.
AIDS is a huge problem too. It is also about equally relevant for the
current wave of SQL injection attacks.
As
they are back.
Yeah, here too.
--
___
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: [EMAIL PROTECTED])
Thanks.
August 2008 12:34 AM
To: CF-Talk
Subject: Re: SQL injection attack on House of Fusion
Andrew Scott wrote:
I believe IP spoofing is still a huge problem. I know little about it, so
no
more comment on that but a quick google shows that it is still a huge
problem.
AIDS is a huge problem too
spoke about.
Still no reason Coldfusion can't and I will stand by that.
-Original Message-
From: Jochem van Dieten [mailto:[EMAIL PROTECTED]
Sent: Sunday, 17 August 2008 12:34 AM
To: CF-Talk
Subject: Re: SQL injection attack on House of Fusion
Andrew Scott wrote:
I can't vouch
On Sat, Aug 16, 2008 at 6:15 AM, Jochem van Dieten wrote:
Andrew Scott wrote:
Ever heard of IP spoofing? Sure you need to complain about it, but the one
thing they need to do is track the packets.
IP spoofing is really only a significant problem with UDP. With TCP any
decent ISP will catch
Mobile: 0404 998 273
-Original Message-
From: denstar [mailto:[EMAIL PROTECTED]
Sent: Sunday, 17 August 2008 1:14 AM
To: CF-Talk
Subject: Re: SQL injection attack on House of Fusion
On Sat, Aug 16, 2008 at 6:15 AM, Jochem van Dieten wrote:
Andrew Scott wrote:
Ever heard of IP spoofing
Andrew Scott wrote:
I stand by the fact that cfqueryparam, can and should be taken care of under
the hood. Other languages are doing it, so what does that tell you?
It tells me that they need additional configuration or convention.
I have 2 functions with the following signatures in my
You'll be happy to know that CF9 is rumoured to include Hibernate with
a corresponding set of tags, so CF should indeed be able to deal with
this under the hood.
On Sat, Aug 16, 2008 at 11:12 PM, Andrew Scott
[EMAIL PROTECTED] wrote:
--
Senior Coldfusion Developer
Aegeon Pty. Ltd.
--
Senior Coldfusion Developer
Aegeon Pty. Ltd.
www.aegeon.com.au
Phone: +613 9015 8628
Mobile: 0404 998 273
-Original Message-
From: Jochem van Dieten [mailto:[EMAIL PROTECTED]
Sent: Sunday, 17 August 2008 1:29 AM
To: CF-Talk
Subject: Re: SQL injection attack on House of Fusion
Man your about 6 months late with that news
--
Senior Coldfusion Developer
Aegeon Pty. Ltd.
www.aegeon.com.au
Phone: +613 9015 8628
Mobile: 0404 998 273
-Original Message-
From: James Holmes [mailto:[EMAIL PROTECTED]
Sent: Sunday, 17 August 2008 1:35 AM
To: CF-Talk
Subject: Re
Sorry for the problems with the House of Fusion site. We've been under
massive attack by sql injection bots and I've just been able to get a handle
on it. A fast solution to the problem is this:
cfif findnocase(';DECLARE, cgi.query_string)cfabort/cfif
It works unless you have a few hundred attacks
301 - 400 of 4661 matches
Mail list logo
