I did Dave, and it's a good summary, especially of the more advanced 
topics like extended procedures and activex integration.  It 
(http://www.nextgenss.com/papers/advanced_sql_injection.pdf  for those 
new to the thread)  also serves as yet another reminder to never use the 
default error messages or dump a sql error in a publicly viewable site.  
Most of these things are much more difficult, if not impossible, to 
accomplish if the error message doesn't provide validation to the attacker.

-Jeff

Dave Watts wrote:

>>Indeed.  I see myself beginning to get flogged over this, but 
>>I'm only trying to make this point:  "it's not that easy".  
>>Somebody said "show me an example", and somebody else said 
>>"here".  I'm simply saying that the example is flawed, and I 
>>am CERTAINLY not saying "don't worry about injection" or 
>>"don't use cfqueryparam"
>>    
>>
>
>Did you read the nextgenss PDF link I posted? I'm pretty sure it has some
>examples for you.
>
>Dave Watts, CTO, Fig Leaf Software
>http://www.figleaf.com/
>
>Fig Leaf Software provides the highest caliber vendor-authorized 
>instruction at our training centers in Washington DC, Atlanta, 
>Chicago, Baltimore, Northern Virginia, or on-site at your location. 
>Visit http://training.figleaf.com/ for more information!
>
>
>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Logware (www.logware.us): a new and convenient web-based time tracking 
application. Start tracking and documenting hours spent on a project or with a 
client with Logware today. Try it for free with a 15 day trial account.
http://www.houseoffusion.com/banners/view.cfm?bannerid=67

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:192838
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54

Reply via email to