[EMAIL PROTECTED] wrote:
Does variable and CFQueryParam checking also apply to Access databases? Is it
needed when using MS Access 2000 as a backend?
Yes.
I am not sure whether you get the performance improvements with Access,
but cfqueryparam is still a protection against SQL Injection
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Kay Smoljak wrote:
| A long time ago, I made a really stupid mistake that results in
| deletion of all data from a table...
|
|
| A tip I picked up from somewhere - it might even have been this list
| - is to not ever actually delete records using
Zac Spitzer wrote:
Kay Smoljak wrote:
|
| A tip I picked up from somewhere - it might even have been this list
| - is to not ever actually delete records using code. Instead, I have
| a dtDeleted field, which is set to the current date when I want to
| delete the record. When doing selects,
I add a IsDeleted flag to perform soft deletes and use DateChanged field to
record the last date that the record was updated.
-Original Message-
From: Kay Smoljak [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, February 05, 2003 7:47 AM
To: CF-Talk
Subject: all records deleted from table
|
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Jochem van Dieten wrote:
| Zac Spitzer wrote:
|
|Kay Smoljak wrote:
||
|| A tip I picked up from somewhere - it might even have been this list
|| - is to not ever actually delete records using code. Instead, I have
|| a dtDeleted field, which is set
Zac Spitzer wrote:
Jochem van Dieten wrote:
|
| That is just a limitation of your specific dbms. Others can use much
| fancier indexing schemes. (If your database supports it, look into
| partial indexes for this type of problem.)
interesting i think oracle (at least in the 8i world)
-Original Message-
From: Jochem van Dieten [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, February 05, 2003 10:32 AM
To: CF-Talk
Subject: Re: all records deleted from table
PostgreSQL has them. I would expect DB2 to have them as wll,
since IBM
funded some research
Where do you perform updates to these tables? What does your data look like
and how much data do you have? The code you have posted below looks sound,
perhaps somehow all your data was updated by an update query which then
would meet the delete criteria below. It sounds highly unlikely, but you
Jim Davis wrote:
-Original Message-
From: Jochem van Dieten [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, February 05, 2003 10:32 AM
To: CF-Talk
Subject: Re: all records deleted from table
http://simon.cs.cornell.edu/home/praveen/papers/partindex.de95.ps.Z
Typical indexing would have
I also now put a confirmation page between the link to delete and the
actual delete page.. this confirmation page has a form where you have to
actually type the word DELETE into a form field and hit the submit button
to do the deletion, so a web crawler can't trigger it.
At 09:30 AM 2/5/2003,
BTW, materialized views can be implemented in any
database that can use triggers. I don't really
understand why many database vendors insist on
naming them views when they are just extra tables.
Because putting Now, more tables! into the sales material just doesn't
have the same effect as
Dave Watts wrote:
BTW, materialized views can be implemented in any
database that can use triggers. I don't really
understand why many database vendors insist on
naming them views when they are just extra tables.
Because putting Now, more tables! into the sales material just doesn't
have
-Original Message-
From: Dave Watts [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, February 05, 2003 12:50 PM
To: CF-Talk
Subject: RE: all records deleted from table
BTW, materialized views can be implemented in any
database that can use triggers. I don't really
understand
Kay Smoljak wrote:
Interesting... I mostly use SQL Server, sometimes Interbase (not with CF yet though)
- I don't suppose you have any idea whether Interbase/Firebird supports partial
indexes?
I never heard it does.
Although, the other idea posted in this thread (using a flag and a
Are you type checking the variables that get passed into your queries?
If those variables came from a form submission or a URL parameter it would
be simple for a malicious user to hack some code into those queries that can
delete all the data..
Could this have been caused by a naughty hacker?
yes.. I also check for some info first before you can even hit the delete
file
-Original Message-
From: Ryan Sabir [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, February 04, 2003 2:30 PM
To: CF-Talk
Subject: RE: all records deleted from table
Are you type checking the variables that get
Yeah that's my thought as well, take a look at your web logs and see if
someone was playing around with putting SQL in the URL...
--
jon
mailto:[EMAIL PROTECTED]
Tuesday, February 4, 2003, 5:30:27 PM, you wrote:
RS Are you type checking the variables that get passed into your queries?
RS If
The items in red is where your problem lies!
a simple sql statement via the url could delete all data from your db.
Have a look at your webserver log file, do a search for DELETE, if its anywhere in the
log file then see if its a SQL statement, if so, thats the hacker, trace its IP
address...
-- Original Message --
From: Taco Fleur [EMAIL PROTECTED]
PS. there are many sites out there that do not know about
this, I used to work for a company called XXX who I told
about this problem, but they don't care (or did not believe
me). You can
The items in red is where your problem lies!
a simple sql statement via the url could delete all data
from your db. Have a look at your webserver log file, do
a search for DELETE, if its anywhere in the log file then
see if its a SQL statement, if so, thats the hacker, trace
its IP
I just noticed that the HTML is removed from the message so you wont see the
items in red.
CItem=#CItem# is where the problem lies.
talking about security.
I know to:
- always use val() with integers in my queries
- always filter ANY data submitted, including hidden fields
- use regEx to
Your name makes me hungry Taco :) taco's
At 09:33 AM 2/5/2003 +1000, you wrote:
I just noticed that the HTML is removed from the message so you wont see the
items in red.
CItem=#CItem# is where the problem lies.
talking about security.
I know to:
- always use val() with integers in
Just a couple of pieces of advice. First, I'd recommend using CFQUERYPARAM
instead of Val in your inline SQL whenever possible. Second, in my
experience, people aren't really interested in deleting your data usually.
They'd much rather do something less visible but more useful (to them),
like
A long time ago, I made a really stupid mistake that results in deletion
of all data from a table... almost embarrassed to admit this in public, but
it might apply here.
There was an admin page with a list of all of the records in the table,
along with a link to delete or edit each
In general, you should probably avoid posting
information about specific vulnerabilities on
specific servers. Someday, someone may be held
liable for negligence for doing that sort of
thing - I think it's just a matter of time - and
you probably don't want to be that person.
I
I see your point, and I thank you for the warning..
- Original Message -
From: Dave Watts [EMAIL PROTECTED]
To: CF-Talk [EMAIL PROTECTED]
Sent: Wednesday, February 05, 2003 2:21 PM
Subject: RE: all records deleted from table
In general, you should probably avoid posting
26 matches
Mail list logo