> Just a couple of pieces of advice. First, I'd recommend using CFQUERYPARAM > instead of Val in your inline SQL whenever possible. Second, in my > experience, people aren't really interested in deleting your data usually. > They'd much rather do something less visible but more useful (to them), like > install rootkits on your database server. So, looking for DELETE in your web > server log files and not finding it, doesn't mean that you haven't been > victimized.
I agree..! Just did not want to go that far, besides using val() in your CFQUERYPARAM still has its advantages, like not getting an error when a non integer is passed to it. > One final piece of advice. In general, you should probably avoid posting > information about specific vulnerabilities on specific servers. Someday, > someone may be held liable for negligence for doing that sort of thing - I > think it's just a matter of time - and you probably don't want to be that > person. It's analogous to me telling everyone that Ray Camden leaves his > front door unlocked, and oh by the way he lives at ... (sorry for dragging > you into this, Ray.) I agree, and normally don't do these sort of things, however there is a long history behind this story. And I feel that if websites like these HAVE been given ENOUGH warnings about these security holes and still DON'T take action, and by doing so put the personal data of 50.000 clients at stake including their credit card information, I believe they deserve to be mentioned. I don't think my mentioning their names can make responsible for negligence, maybe if I said go to page xxx and use the following code to hack their site, would be.... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
