> Yes, your error messages may need some help, but a combination > of usage and proper error handling (too often ignored) can go a long > way towards saving your bacon.
Perhaps I'm going a little overboard, but my personal philosophy is that it shouldn't be possible for an end-user to generate a ColdFusion error message. Proper error handling is an absolute must so you get notified of errors that do occur, but I will generally massage the incoming data before passing it into a query (which uses cfqueryparam, of course). If I have a numeric ID, I'm going to min(abs(val(trim(url.id))), 2000000) that variable before it ever makes it to the query (forces a positive in-range integer or zero; the two billion value can be modified if you're using larger numbers in your situation; an error can occur if the integer value is out of range so I force it in range as well). There is something to be said for getting notified when an attack is in progress, but I'd lean on the side of logging unusual requests and sending a notice when the app sees greater than X unusual requests within a certain time period so I can check it out. It's very rare that the error notification on my sites ever need to kick in, and it becomes an event when they do rather than thousands of error emails getting generated from an automated attack. Kudos to the original poster for making sure they used some protection though. Attackers don't care what your deadline looked like when the app was written and their automated scanning tools don't care how big your site is, so you have to assume they're going to probe long and hard regardless of the size of the site. -Justin ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:344152 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
