I did Dave, and it's a good summary, especially of the more advanced topics like extended procedures and activex integration. It (http://www.nextgenss.com/papers/advanced_sql_injection.pdf for those new to the thread) also serves as yet another reminder to never use the default error messages or dump a sql error in a publicly viewable site. Most of these things are much more difficult, if not impossible, to accomplish if the error message doesn't provide validation to the attacker.
-Jeff Dave Watts wrote: >>Indeed. I see myself beginning to get flogged over this, but >>I'm only trying to make this point: "it's not that easy". >>Somebody said "show me an example", and somebody else said >>"here". I'm simply saying that the example is flawed, and I >>am CERTAINLY not saying "don't worry about injection" or >>"don't use cfqueryparam" >> >> > >Did you read the nextgenss PDF link I posted? I'm pretty sure it has some >examples for you. > >Dave Watts, CTO, Fig Leaf Software >http://www.figleaf.com/ > >Fig Leaf Software provides the highest caliber vendor-authorized >instruction at our training centers in Washington DC, Atlanta, >Chicago, Baltimore, Northern Virginia, or on-site at your location. >Visit http://training.figleaf.com/ for more information! > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:192838 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
