> When you say "Update Your Code", are you saying using <cfqueryparam>? But > even so, the SQL injection still will use up countless resources instead of > cutting it off early. So, go back and fix 1,000's of lines of code I have > developed over the last 'upteen' years or stop it before it starts? Is this > something new to CF8 or just a necessary evil because of SQL Injection > Attacks.
Essentially, yes, code should be using cfqueryparam and other secure coding methods to keep the baddies out. The resources will get used either way, really. You can either rely on a filter up-front and use up CPU cycles regardless of whether a user is legitimate or not, or even whether or not a query is being run in the page or not, etc. Or, you can implement cfqueryparam where appropriate and only use those cycles where they're needed, and you'll get the added benefit of prepared statements on the SQL Server in most cases and the queries will run slightly faster as a result. Either way you go, protect yourself and your clients. SQL injection attacks have been around since before I got started in web development, and secure coding against them has been a best practice just as long. I remember updating "old" CF code I inherited way back when I was using ColdFusion 4, so it's certainly nothing new. It's unfortunate that you haven't seen this in practice until now, but it really is something you should be doing. It's been my observation over the years that web programmers in general (not just limited to ColdFusion) tend to learn about security only when there is a breach of some kind, and then have to scramble to learn under fire. Just as an example, how many out there run e-commerce applications and have never heard of PCI-DSS? I'm not picking on you specifically, David, so please don't think I'm calling you out or anything. I'm always learning new things myself, but we web developers need to collectively get more educated about the risks and threats we face and alter our practice accordingly. -Justin Scott ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311325 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
