So, I have found like the "Mother Load" of good programmers who really care about Cold Fusion and take the time to do it right? Becuase every peice of code I have ever gotten from Adobe Exchange or Purchase from other sites has never had <cfqueryparam>. And I know Ben is going to shoot me, because looking back at some of his Advanced books now I see where he says I should be using it. I guess my 10 hour days just turned into 14 hours. Anybody got a Starbucks Supersize Java Java Double Caffeine coupon? Eric is pretty good at the Smack Down too, Eric The Great takes David the Geek over the ropes and into the first row of chairs! (Yes, I am from the South and everything references Wrestling or Nascar) ~David> Subject: Re: SQL injection attack on House of Fusion> From: [EMAIL PROTECTED]> To: cf-talk@houseoffusion.com> Date: Wed, 20 Aug 2008 16:59:26 -0500> > >is <cfqueryparam> something a lot of programmers really use?> > > Only the good ones. ;)> > > Thanks,> > Eric> > David Moore, Jr. wrote:> > When you say "Update Your Code", are you saying using <cfqueryparam>? But even so, the SQL injection still will use up countless resources instead of cutting it off early. So, go back and fix 1,000's of lines of code I have developed over the last 'upteen' years or stop it before it starts? Is this something new to CF8 or just a necessary evil because of SQL Injection Attacks. > > > > Not trying to pick a fight, becuase I am sure you have forgotten more code than I will ever know (seriously) and I am probably just being lazy (seriously), but is <cfqueryparam> something a lot of programmers really use? I have never seen <cfqueryparam> used on any tags I have purchased or exchanged and I am afraid all I know is what I have learned from books and forums. This is the first I have ever heard of using <cfqueryparam>.> > > > ~David G. Moore, Jr.> Subject: Re: SQL injection attack on House of Fusion> From: [EMAIL PROTECTED]> To: cf-talk@houseoffusion.com> Date: Wed, 20 Aug 2008 17:01:42 -0400> > > I am currently using the SQLprev.cfm from Jochem to stop the onslaught of superfluous bandwidth suckage from my server, but was wondering what the difference would be with this one. I am not looking to start a "my SQL Injection blocker is better than yours", yet trying to educate myself on just what is going on and what is best to do. > > My original SQLprev script (http://www.gravityfree.com/_sqlprev.cfm.txt) > just checks for basic SQL keywords with a semicolon in URL variables. > It's a quick and dirty way to give you some protection from bots > short-term while your code base is updated to use best practices and > secure coding methods. Mary Jo's is more thorough in that it checks > additional variable scopes, and can help protect better against > hand-drafted attacks, but may have a higher p> otential for false > positives (though it's improved recently from what I can tell).> > SQLPrev has a version compatible with CF5 for those who need it where > the other script relies on CFMX functions to run. I'm not saying one is > better than the other, they both get the job done. Just use whatever > works best for you, and update your code so that you don't need either > of them <g>.> > > -Justin Scott> > > > > > > > > >
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311334 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4