Well, it is my goal :) not there yet...> Subject: Re: SQL injection attack on House of Fusion> From: [EMAIL PROTECTED]> To: cf-talk@houseoffusion.com> Date: Wed, 20 Aug 2008 16:59:26 -0500> > >is <cfqueryparam> something a lot of programmers really use?> > > Only the good ones. ;)> > > Thanks,> > Eric> > David Moore, Jr. wrote:> > When you say "Update Your Code", are you saying using <cfqueryparam>? But even so, the SQL injection still will use up countless resources instead of cutting it off early. So, go back and fix 1,000's of lines of code I have developed over the last 'upteen' years or stop it before it starts? Is this something new to CF8 or just a necessary evil because of SQL Injection Attacks. > > > > Not trying to pick a fight, becuase I am sure you have forgotten more code than I will ever know (seriously) and I am probably just being lazy (seriously), but is <cfqueryparam> something a lot of programmers really use? I have never seen <cfqueryparam> used on any tags I have purchased or exchanged and I am afraid all I know is what I have learned from books and forums. This is the first I have ever heard of using <cfqueryparam>.> > > > ~David G. Moore, Jr.> Subject: Re: SQL injection attack on House of Fusion> From: [EMAIL PROTECTED]> To: cf-talk@houseoffusion.com> Date: Wed, 20 Aug 2008 17:01:42 -0400> > > I am currently using the SQLprev.cfm from Jochem to stop the onslaught of superfluous bandwidth suckage from my server, but was wondering what the difference would be with this one. I am not looking to start a "my SQL Injection blocker is better than yours", yet trying to educate myself on just what is going on and what is best to do. > > My original SQLprev script (http://www.gravityfree.com/_sqlprev.cfm.txt) > just checks for basic SQL keywords with a semicolon in URL variables. > It's a quick and dirty way to give you some protection from bots > short-term while your code base is updated to use best practices and > secure coding methods. Mary Jo's is more thorough in that it checks > additional variable scopes, and can help protect better against > hand-drafted attacks, but may have a higher p> otential for false > positives (though it's improved recently from what I can tell).> > SQLPrev has a version compatible with CF5 for those who need it where > the other script relies on CFMX functions to run. I'm not saying one is > better than the other, they both get the job done. Just use whatever > works best for you, and update your code so that you don't need either > of them <g>.> > > -Justin Scott> > > > > > > > > >
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311333 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
