Eric, A good answer might be .... "it is now" :)
-----Original Message----- From: Eric Cobb [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 20, 2008 4:59 PM To: CF-Talk Subject: Re: SQL injection attack on House of Fusion >is <cfqueryparam> something a lot of programmers really use? Only the good ones. ;) Thanks, Eric David Moore, Jr. wrote: > When you say "Update Your Code", are you saying using <cfqueryparam>? But even so, the SQL injection still will use up countless resources instead of cutting it off early. So, go back and fix 1,000's of lines of code I have developed over the last 'upteen' years or stop it before it starts? Is this something new to CF8 or just a necessary evil because of SQL Injection Attacks. > > Not trying to pick a fight, becuase I am sure you have forgotten more code than I will ever know (seriously) and I am probably just being lazy (seriously), but is <cfqueryparam> something a lot of programmers really use? I have never seen <cfqueryparam> used on any tags I have purchased or exchanged and I am afraid all I know is what I have learned from books and forums. This is the first I have ever heard of using <cfqueryparam>. > > ~David G. Moore, Jr.> Subject: Re: SQL injection attack on House of > Fusion> From: [EMAIL PROTECTED]> To: cf-talk@houseoffusion.com> > Date: Wed, 20 Aug 2008 17:01:42 -0400> > > I am currently using the > SQLprev.cfm from Jochem to stop the onslaught of superfluous bandwidth > suckage from my server, but was wondering what the difference would be > with this one. I am not looking to start a "my SQL Injection blocker > is better than yours", yet trying to educate myself on just what is > going on and what is best to do. > > My original SQLprev script > (http://www.gravityfree.com/_sqlprev.cfm.txt) > just checks for basic > SQL keywords with a semicolon in URL variables. > It's a quick and > dirty way to give you some protection from bots > short-term while > your code base is updated to use best practices and > secure coding > methods. Mary Jo's is more thorough in that it checks > additional > variable scopes, and can help protect better against > hand-drafted > attacks, but may have a higher p otential for false > positives (though it's improved recently from what I can tell).> > SQLPrev has a version compatible with CF5 for those who need it where > the other script relies on CFMX functions to run. I'm not saying one is > better than the other, they both get the job done. Just use whatever > works best for you, and update your code so that you don't need either > of them <g>.> > > -Justin Scott> > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311331 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
