Tony_Petruzzi
Wed, 22 May 2002 08:35:19 -0700
Personally I think this comes from not doing error checks in your code more than leaving stuff lying around. Don't get me wrong, I think that at least once month you should go through your production site and see if everything is in order. Actually you should do that with each update. However, the first lines of every page should be error checking:
1) check to make sure each variable that is passed to the page exists and
has a default value.
<cfparam name="form.username" default="">
<cfparam name="form.password" default="">
2) qualify the variables passed and make sure that they meet your standard
for length and characters allowed. you have no idea how many people think
that just because they put a maxlength in a form field that they are safe.
<--- Username and password can only be alphanumeric and no more than 50
characters --->
<cfset variables.username = left(trim(ReReplaceNoCase(form.username,
"[^A-Za-z0-9]", "", "ALL")), 50)>
<cfset variables.password = left(trim(ReReplaceNoCase(form.password,
"[^A-Za-z0-9]", "", "ALL")), 50)>
3) finally make sure that you don't have an empty string
<cfif
variables.username EQ "" OR
variables.password EQ "">
<cflocation url="index.cfm" addtoken="No">
</cfif>
Make sure that you also check numeric values
<cfparam name="url.id" default="0">
<cfset variables.id = val(url.id)>
Anthony Petruzzi
Webmaster
954-321-4703
[EMAIL PROTECTED]
http://www.sheriff.org
-----Original Message-----
From: Philip Arnold - ASP [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, May 22, 2002 10:57 AM
To: CF-Talk
Subject: RE: Don't leave stuff lying around
Another option to stop this happening is to have them have a form at the
start - they won't do the work until the form has been submitted...
Stops the search engines bumping into them or WebTrends re-running stuff
Philip Arnold
Technical Director
Certified ColdFusion Developer
ASP Multimedia Limited
Switchboard: +44 (0)20 8680 8099
Fax: +44 (0)20 8686 7911
www.aspmedia.co.uk
www.aspevents.net
An ISO9001 registered company.
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
**********************************************************************
> -----Original Message-----
> From: Richard Meredith-Hardy [mailto:[EMAIL PROTECTED]]
> Sent: 22 May 2002 13:29
> To: CF-Talk
> Subject: Don't leave stuff lying around
>
>
> This morning I got into work to discover >3000 error messages
> generated
> since 4:30 yesterday afternoon with more pouring in by the minute.
>
> I had something of a panic attack as the site has been running with no
> errors for months. As it turned out, I had inadvertently left an old
> "one time" CF script on the server which had rebuilt a stored
> proc to a
> now-redundant version and was easy enough to undo.
>
> What had done this? IP traces from the site's logs showed the request
> to this rogue script coming from inside the client's gateway.
> At first I
> suspected someone there who didn't know what they were doing
> had simply
> been fiddling with the site, but as it turned out, they were running a
> badly configured copy of webtrends which was itself requesting pages
> that appear in the logfiles. It seems that Webtrends decided
> to go and
> check it out by requesting it - probably to ascertain its status code,
> and in so doing invoked the stored procedure deletion / re-creation.
>
> Moral: Don't leave stuff lying around.
>
> --
> Regards;
>
> Richard Meredith-Hardy
> -------------------------------------------------------------
> [EMAIL PROTECTED]
> Mob: + 44 7771 526513
>
______________________________________________________________________
Signup for the Fusion Authority news alert and keep up with the latest news in
ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists