Don't leave stuff lying around
This morning I got into work to discover 3000 error messages generated since 4:30 yesterday afternoon with more pouring in by the minute. I had something of a panic attack as the site has been running with no errors for months. As it turned out, I had inadvertently left an old one time CF script on the server which had rebuilt a stored proc to a now-redundant version and was easy enough to undo. What had done this? IP traces from the site's logs showed the request to this rogue script coming from inside the client's gateway. At first I suspected someone there who didn't know what they were doing had simply been fiddling with the site, but as it turned out, they were running a badly configured copy of webtrends which was itself requesting pages that appear in the logfiles. It seems that Webtrends decided to go and check it out by requesting it - probably to ascertain its status code, and in so doing invoked the stored procedure deletion / re-creation. Moral: Don't leave stuff lying around. -- Regards; Richard Meredith-Hardy - [EMAIL PROTECTED] Mob: + 44 7771 526513 __ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Don't leave stuff lying around
Richard, this is great advice from your pain, I have seen very large sites badly hit by this sort of issue, also the robots can cause issues with stale code/features. Has anyone come across or used any sort of Stale-Code-Sniffer capability/utility? Mike Brunt, CTO Webapper http://www.webapper.com Tel: 562.243.6255 Instant Messaging AIM: webappermb Webapper, Downey CA Office Webapper - Making the NET Work -Original Message- From: Richard Meredith-Hardy [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 22, 2002 5:29 AM To: CF-Talk Subject: Don't leave stuff lying around This morning I got into work to discover 3000 error messages generated since 4:30 yesterday afternoon with more pouring in by the minute. I had something of a panic attack as the site has been running with no errors for months. As it turned out, I had inadvertently left an old one time CF script on the server which had rebuilt a stored proc to a now-redundant version and was easy enough to undo. What had done this? IP traces from the site's logs showed the request to this rogue script coming from inside the client's gateway. At first I suspected someone there who didn't know what they were doing had simply been fiddling with the site, but as it turned out, they were running a badly configured copy of webtrends which was itself requesting pages that appear in the logfiles. It seems that Webtrends decided to go and check it out by requesting it - probably to ascertain its status code, and in so doing invoked the stored procedure deletion / re-creation. Moral: Don't leave stuff lying around. -- Regards; Richard Meredith-Hardy - [EMAIL PROTECTED] Mob: + 44 7771 526513 __ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Don't leave stuff lying around
We try to avoid this by requiring a query string so that even if someone brings up the file, it won't run. You have to read the instructions and copy/paste the query string to get any action. Webapper wrote: Richard, this is great advice from your pain, I have seen very large sites badly hit by this sort of issue, also the robots can cause issues with stale code/features. Has anyone come across or used any sort of Stale-Code-Sniffer capability/utility? Mike Brunt, CTO Webapper http://www.webapper.com Tel: 562.243.6255 Instant Messaging AIM: webappermb Webapper, Downey CA Office Webapper - Making the NET Work -Original Message- From: Richard Meredith-Hardy [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 22, 2002 5:29 AM To: CF-Talk Subject: Don't leave stuff lying around This morning I got into work to discover 3000 error messages generated since 4:30 yesterday afternoon with more pouring in by the minute. I had something of a panic attack as the site has been running with no errors for months. As it turned out, I had inadvertently left an old one time CF script on the server which had rebuilt a stored proc to a now-redundant version and was easy enough to undo. What had done this? IP traces from the site's logs showed the request to this rogue script coming from inside the client's gateway. At first I suspected someone there who didn't know what they were doing had simply been fiddling with the site, but as it turned out, they were running a badly configured copy of webtrends which was itself requesting pages that appear in the logfiles. It seems that Webtrends decided to go and check it out by requesting it - probably to ascertain its status code, and in so doing invoked the stored procedure deletion / re-creation. Moral: Don't leave stuff lying around. -- Regards; Richard Meredith-Hardy - [EMAIL PROTECTED] Mob: + 44 7771 526513 __ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Don't leave stuff lying around
Another option to stop this happening is to have them have a form at the start - they won't do the work until the form has been submitted... Stops the search engines bumping into them or WebTrends re-running stuff Philip Arnold Technical Director Certified ColdFusion Developer ASP Multimedia Limited Switchboard: +44 (0)20 8680 8099 Fax: +44 (0)20 8686 7911 www.aspmedia.co.uk www.aspevents.net An ISO9001 registered company. ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. ** -Original Message- From: Richard Meredith-Hardy [mailto:[EMAIL PROTECTED]] Sent: 22 May 2002 13:29 To: CF-Talk Subject: Don't leave stuff lying around This morning I got into work to discover 3000 error messages generated since 4:30 yesterday afternoon with more pouring in by the minute. I had something of a panic attack as the site has been running with no errors for months. As it turned out, I had inadvertently left an old one time CF script on the server which had rebuilt a stored proc to a now-redundant version and was easy enough to undo. What had done this? IP traces from the site's logs showed the request to this rogue script coming from inside the client's gateway. At first I suspected someone there who didn't know what they were doing had simply been fiddling with the site, but as it turned out, they were running a badly configured copy of webtrends which was itself requesting pages that appear in the logfiles. It seems that Webtrends decided to go and check it out by requesting it - probably to ascertain its status code, and in so doing invoked the stored procedure deletion / re-creation. Moral: Don't leave stuff lying around. -- Regards; Richard Meredith-Hardy - [EMAIL PROTECTED] Mob: + 44 7771 526513 __ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Don't leave stuff lying around
Personally I think this comes from not doing error checks in your code more than leaving stuff lying around. Don't get me wrong, I think that at least once month you should go through your production site and see if everything is in order. Actually you should do that with each update. However, the first lines of every page should be error checking: 1) check to make sure each variable that is passed to the page exists and has a default value. cfparam name=form.username default= cfparam name=form.password default= 2) qualify the variables passed and make sure that they meet your standard for length and characters allowed. you have no idea how many people think that just because they put a maxlength in a form field that they are safe. --- Username and password can only be alphanumeric and no more than 50 characters --- cfset variables.username = left(trim(ReReplaceNoCase(form.username, [^A-Za-z0-9], , ALL)), 50) cfset variables.password = left(trim(ReReplaceNoCase(form.password, [^A-Za-z0-9], , ALL)), 50) 3) finally make sure that you don't have an empty string cfif variables.username EQ OR variables.password EQ cflocation url=index.cfm addtoken=No /cfif Make sure that you also check numeric values cfparam name=url.id default=0 cfset variables.id = val(url.id) Anthony Petruzzi Webmaster 954-321-4703 [EMAIL PROTECTED] http://www.sheriff.org -Original Message- From: Philip Arnold - ASP [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 22, 2002 10:57 AM To: CF-Talk Subject: RE: Don't leave stuff lying around Another option to stop this happening is to have them have a form at the start - they won't do the work until the form has been submitted... Stops the search engines bumping into them or WebTrends re-running stuff Philip Arnold Technical Director Certified ColdFusion Developer ASP Multimedia Limited Switchboard: +44 (0)20 8680 8099 Fax: +44 (0)20 8686 7911 www.aspmedia.co.uk www.aspevents.net An ISO9001 registered company. ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. ** -Original Message- From: Richard Meredith-Hardy [mailto:[EMAIL PROTECTED]] Sent: 22 May 2002 13:29 To: CF-Talk Subject: Don't leave stuff lying around This morning I got into work to discover 3000 error messages generated since 4:30 yesterday afternoon with more pouring in by the minute. I had something of a panic attack as the site has been running with no errors for months. As it turned out, I had inadvertently left an old one time CF script on the server which had rebuilt a stored proc to a now-redundant version and was easy enough to undo. What had done this? IP traces from the site's logs showed the request to this rogue script coming from inside the client's gateway. At first I suspected someone there who didn't know what they were doing had simply been fiddling with the site, but as it turned out, they were running a badly configured copy of webtrends which was itself requesting pages that appear in the logfiles. It seems that Webtrends decided to go and check it out by requesting it - probably to ascertain its status code, and in so doing invoked the stored procedure deletion / re-creation. Moral: Don't leave stuff lying around. -- Regards; Richard Meredith-Hardy - [EMAIL PROTECTED] Mob: + 44 7771 526513 __ Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Don't leave stuff lying around
3) finally make sure that you don't have an empty string cfif variables.username EQ OR variables.password EQ cflocation url=index.cfm addtoken=No /cfif Actually, spaces won't be caught - use trim(len(string)) instead Make sure that you also check numeric values cfparam name=url.id default=0 cfset variables.id = val(url.id) IMHO, it's easier to use CFParam to throw when an invalid datatype is passed: cfparam name=variable type=numeric --- Billy Cravens -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 22, 2002 10:52 AM To: CF-Talk Subject: RE: Don't leave stuff lying around Personally I think this comes from not doing error checks in your code more than leaving stuff lying around. Don't get me wrong, I think that at least once month you should go through your production site and see if everything is in order. Actually you should do that with each update. However, the first lines of every page should be error checking: 1) check to make sure each variable that is passed to the page exists and has a default value. cfparam name=form.username default= cfparam name=form.password default= 2) qualify the variables passed and make sure that they meet your standard for length and characters allowed. you have no idea how many people think that just because they put a maxlength in a form field that they are safe. --- Username and password can only be alphanumeric and no more than 50 characters --- cfset variables.username = left(trim(ReReplaceNoCase(form.username, [^A-Za-z0-9], , ALL)), 50) cfset variables.password = left(trim(ReReplaceNoCase(form.password, [^A-Za-z0-9], , ALL)), 50) 3) finally make sure that you don't have an empty string cfif variables.username EQ OR variables.password EQ cflocation url=index.cfm addtoken=No /cfif Make sure that you also check numeric values cfparam name=url.id default=0 cfset variables.id = val(url.id) Anthony Petruzzi Webmaster 954-321-4703 [EMAIL PROTECTED] http://www.sheriff.org -Original Message- From: Philip Arnold - ASP [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 22, 2002 10:57 AM To: CF-Talk Subject: RE: Don't leave stuff lying around Another option to stop this happening is to have them have a form at the start - they won't do the work until the form has been submitted... Stops the search engines bumping into them or WebTrends re-running stuff Philip Arnold Technical Director Certified ColdFusion Developer ASP Multimedia Limited Switchboard: +44 (0)20 8680 8099 Fax: +44 (0)20 8686 7911 www.aspmedia.co.uk www.aspevents.net An ISO9001 registered company. ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. ** -Original Message- From: Richard Meredith-Hardy [mailto:[EMAIL PROTECTED]] Sent: 22 May 2002 13:29 To: CF-Talk Subject: Don't leave stuff lying around This morning I got into work to discover 3000 error messages generated since 4:30 yesterday afternoon with more pouring in by the minute. I had something of a panic attack as the site has been running with no errors for months. As it turned out, I had inadvertently left an old one time CF script on the server which had rebuilt a stored proc to a now-redundant version and was easy enough to undo. What had done this? IP traces from the site's logs showed the request to this rogue script coming from inside the client's gateway. At first I suspected someone there who didn't know what they were doing had simply been fiddling with the site, but as it turned out, they were running a badly configured copy of webtrends which was itself requesting pages that appear in the logfiles. It seems that Webtrends decided to go and check it out by requesting it - probably to ascertain its status code, and in so doing invoked the stored procedure deletion / re-creation. Moral: Don't leave stuff lying around. -- Regards; Richard Meredith-Hardy - [EMAIL PROTECTED] Mob: + 44 7771 526513 __ Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Don't leave stuff lying around
don't get what you mean. Tried some tests over here and all spaces were caught. please give an example. cfparam name=variable type=numeric will this automatically set the default value to 0 even though you aren't specifying it? should it be cfparam name=variable type=numeric default=0? Anthony Petruzzi Webmaster 954-321-4703 [EMAIL PROTECTED] http://www.sheriff.org -Original Message- From: Cravens, Billy [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 22, 2002 12:11 PM To: CF-Talk Subject: RE: Don't leave stuff lying around 3) finally make sure that you don't have an empty string cfif variables.username EQ OR variables.password EQ cflocation url=index.cfm addtoken=No /cfif Actually, spaces won't be caught - use trim(len(string)) instead Make sure that you also check numeric values cfparam name=url.id default=0 cfset variables.id = val(url.id) IMHO, it's easier to use CFParam to throw when an invalid datatype is passed: cfparam name=variable type=numeric --- Billy Cravens -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 22, 2002 10:52 AM To: CF-Talk Subject: RE: Don't leave stuff lying around Personally I think this comes from not doing error checks in your code more than leaving stuff lying around. Don't get me wrong, I think that at least once month you should go through your production site and see if everything is in order. Actually you should do that with each update. However, the first lines of every page should be error checking: 1) check to make sure each variable that is passed to the page exists and has a default value. cfparam name=form.username default= cfparam name=form.password default= 2) qualify the variables passed and make sure that they meet your standard for length and characters allowed. you have no idea how many people think that just because they put a maxlength in a form field that they are safe. --- Username and password can only be alphanumeric and no more than 50 characters --- cfset variables.username = left(trim(ReReplaceNoCase(form.username, [^A-Za-z0-9], , ALL)), 50) cfset variables.password = left(trim(ReReplaceNoCase(form.password, [^A-Za-z0-9], , ALL)), 50) 3) finally make sure that you don't have an empty string cfif variables.username EQ OR variables.password EQ cflocation url=index.cfm addtoken=No /cfif Make sure that you also check numeric values cfparam name=url.id default=0 cfset variables.id = val(url.id) Anthony Petruzzi Webmaster 954-321-4703 [EMAIL PROTECTED] http://www.sheriff.org -Original Message- From: Philip Arnold - ASP [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 22, 2002 10:57 AM To: CF-Talk Subject: RE: Don't leave stuff lying around Another option to stop this happening is to have them have a form at the start - they won't do the work until the form has been submitted... Stops the search engines bumping into them or WebTrends re-running stuff Philip Arnold Technical Director Certified ColdFusion Developer ASP Multimedia Limited Switchboard: +44 (0)20 8680 8099 Fax: +44 (0)20 8686 7911 www.aspmedia.co.uk www.aspevents.net An ISO9001 registered company. ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. ** -Original Message- From: Richard Meredith-Hardy [mailto:[EMAIL PROTECTED]] Sent: 22 May 2002 13:29 To: CF-Talk Subject: Don't leave stuff lying around This morning I got into work to discover 3000 error messages generated since 4:30 yesterday afternoon with more pouring in by the minute. I had something of a panic attack as the site has been running with no errors for months. As it turned out, I had inadvertently left an old one time CF script on the server which had rebuilt a stored proc to a now-redundant version and was easy enough to undo. What had done this? IP traces from the site's logs showed the request to this rogue script coming from inside the client's gateway. At first I suspected someone there who didn't know what they were doing had simply been fiddling with the site, but as it turned out, they were running a badly configured copy of webtrends which was itself requesting pages that appear in the logfiles. It seems that Webtrends decided to go and check it out by requesting it - probably to ascertain its status code, and in so doing invoked the stored procedure deletion / re-creation. Moral: Don't leave stuff lying around. -- Regards; Richard Meredith-Hardy - [EMAIL PROTECTED] Mob: + 44 7771 526513
RE: Don't leave stuff lying around
cfparam name=variable type=numeric will this automatically set the default value to 0 even though you aren't specifying it? should it be cfparam name=variable type=numeric default=0? If you omit the DEFAULT attribute, CFPARAM will throw an exception if the variable doesn't already exist. Sometimes, that's the behavior that you might want. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 __ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Don't leave stuff lying around
I was actually thinking more of form variables, where the user can enter in spaces. --- Billy Cravens -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 22, 2002 11:21 AM To: CF-Talk Subject: RE: Don't leave stuff lying around don't get what you mean. Tried some tests over here and all spaces were caught. please give an example. cfparam name=variable type=numeric will this automatically set the default value to 0 even though you aren't specifying it? should it be cfparam name=variable type=numeric default=0? Anthony Petruzzi Webmaster 954-321-4703 [EMAIL PROTECTED] http://www.sheriff.org -Original Message- From: Cravens, Billy [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 22, 2002 12:11 PM To: CF-Talk Subject: RE: Don't leave stuff lying around 3) finally make sure that you don't have an empty string cfif variables.username EQ OR variables.password EQ cflocation url=index.cfm addtoken=No /cfif Actually, spaces won't be caught - use trim(len(string)) instead Make sure that you also check numeric values cfparam name=url.id default=0 cfset variables.id = val(url.id) IMHO, it's easier to use CFParam to throw when an invalid datatype is passed: cfparam name=variable type=numeric --- Billy Cravens -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 22, 2002 10:52 AM To: CF-Talk Subject: RE: Don't leave stuff lying around Personally I think this comes from not doing error checks in your code more than leaving stuff lying around. Don't get me wrong, I think that at least once month you should go through your production site and see if everything is in order. Actually you should do that with each update. However, the first lines of every page should be error checking: 1) check to make sure each variable that is passed to the page exists and has a default value. cfparam name=form.username default= cfparam name=form.password default= 2) qualify the variables passed and make sure that they meet your standard for length and characters allowed. you have no idea how many people think that just because they put a maxlength in a form field that they are safe. --- Username and password can only be alphanumeric and no more than 50 characters --- cfset variables.username = left(trim(ReReplaceNoCase(form.username, [^A-Za-z0-9], , ALL)), 50) cfset variables.password = left(trim(ReReplaceNoCase(form.password, [^A-Za-z0-9], , ALL)), 50) 3) finally make sure that you don't have an empty string cfif variables.username EQ OR variables.password EQ cflocation url=index.cfm addtoken=No /cfif Make sure that you also check numeric values cfparam name=url.id default=0 cfset variables.id = val(url.id) Anthony Petruzzi Webmaster 954-321-4703 [EMAIL PROTECTED] http://www.sheriff.org -Original Message- From: Philip Arnold - ASP [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 22, 2002 10:57 AM To: CF-Talk Subject: RE: Don't leave stuff lying around Another option to stop this happening is to have them have a form at the start - they won't do the work until the form has been submitted... Stops the search engines bumping into them or WebTrends re-running stuff Philip Arnold Technical Director Certified ColdFusion Developer ASP Multimedia Limited Switchboard: +44 (0)20 8680 8099 Fax: +44 (0)20 8686 7911 www.aspmedia.co.uk www.aspevents.net An ISO9001 registered company. ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. ** -Original Message- From: Richard Meredith-Hardy [mailto:[EMAIL PROTECTED]] Sent: 22 May 2002 13:29 To: CF-Talk Subject: Don't leave stuff lying around This morning I got into work to discover 3000 error messages generated since 4:30 yesterday afternoon with more pouring in by the minute. I had something of a panic attack as the site has been running with no errors for months. As it turned out, I had inadvertently left an old one time CF script on the server which had rebuilt a stored proc to a now-redundant version and was easy enough to undo. What had done this? IP traces from the site's logs showed the request to this rogue script coming from inside the client's gateway. At first I suspected someone there who didn't know what they were doing had simply been fiddling with the site, but as it turned out, they were running a badly configured copy of webtrends which was itself requesting pages that appear in the logfiles. It seems that Webtrends decided to go and check it out by requesting it - probably to ascertain its status code, and in so doing invoked the stored procedure