> When you say "Update Your Code", are you saying using > <cfqueryparam>?
Yes. That is the only mechanism guaranteed to prevent known and future SQL injection attacks. Using a filter can protect you from the current attack long enough for you to fix your broken code. > But even so, the SQL injection still will use > up countless resources instead of cutting it off early. So, > go back and fix 1,000's of lines of code I have developed > over the last 'upteen' years or stop it before it starts? Is > this something new to CF8 or just a necessary evil because of > SQL Injection Attacks. It's only possible to stop something before it starts if you can clearly identify what "it" is. In this attack, for example, there are some specific keywords that you can use in a filter: DECLARE and CAST. The next attack may use different keywords, or different permutations of the same keywords (using Unicode sequences instead of ASCII characters, for example). Your main concern is not the consumption of resources as a result of an automated attack. That's just like any other denial of service attack, basically. If you can filter it out successfully, that's good for you, but you should be far more concerned with the results of a successful SQL injection attack. > is <cfqueryparam> something a lot of programmers really use? A lot of (arguably, almost all) competent programmers use it. Fewer incompetent programmers use it. I'm not trying to pick a fight with you either; I'm not calling you incompetent. But at this point, web application programmers using almost any language should be familiar with the concept of prepared statements (what you're building with CFQUERYPARAM) and why they're important. > I am afraid all I know is what I have learned from books and > forums. This is the first I have ever heard of using <cfqueryparam>. It's been mentioned periodically on this list for years. It's covered in the official Adobe courseware, and in all of the CF books I've seen. That said, I can see how you might not know about it if you don't pay relatively close attention to all this stuff. But with THAT said, it is your job and responsibility as a web developer to be aware of best practices and requirements within that field. There are PLENTY of resources about building secure web applications. Those resources might not cover CF specifically all that much, but if you read in Open Web Application Security Project (http://www.owasp.org/index.php/Top_10_2007), for example, about the top ten vulnerabilities in web applications, you would see that SQL injection is on the list and that you use prepared statements to prevent it. Your next question should be, "how do I build a prepared statement in ColdFusion?" You, as the web developer, are often responsible for ALL SORTS of things that you're not going to learn in books or forums: development issues like application security, interface issues like usability and accessibility, business issues, deplooyment issues, etc, etc. What's more, your responsibility may well be legally binding; in other words, you might get sued for doing the wrong thing for a client. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311338 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
