> I guess I should also add that if hackers are seeing useful > errors reported back to them you have a couple more problems > besides sql injection showing unintended data in your normal > query output. > > 1. Your queries are not wrapped with cftry - cfcatch. > 2. Your queries are not cfqueryparam'd. > 3. Your website is not showing a custom error template with a > cleaned up user friendly hacker safe message. > 4. Client supplied data is not scrubbed for safeness and > problems reported in a user friendly way. > > Others suggested cfqueryparam'ing your queries, but while > this will prevent sql injection, you still have ugly errors > with possibly useful information presented to the hacker. > Fixing the above 3 problems will get you a safer website and > the 4th a nice user experience should a normal user make a mistake.
You don't need to wrap every query with CFTRY/CFCATCH; you're better off reserving that for specific exceptions where you can present a specific solution. If you just use CFERROR/onError to capture runtime exceptions, you can get the same results in a more structured way. While I'm not sure I fully agree with this, there is a cogent argument to be made in favor of not scrubbing client data: http://www.joelonsoftware.com/articles/Wrong.html Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! This email has been processed by SmoothZap - www.smoothwall.net ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| ColdFusion 8 beta â Build next generation applications today. Free beta download on Labs http://www.adobe.com/cfusion/entitlement/index.cfm?e=labs_adobecf8_beta Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:280654 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
