Billy Cravens said:
> There's no telling what's running [on the Allaire site]. I know it's
> a different system, but about a month ago I hit the beta.allaire.com
> forums, and it crashed, and [...] I got a standard Access database error!
Speaking of which ... I think this raises an interesting point.
Whenever I stumble across another site that I like that uses CF, I get a big
kick out of it. It's sorta like validation, you know? Sure, MacroAllaire
pumps out tons of manager-speak on how great their product is and how huge
an install base they have, but it's always good to *see* it. But,
invariably, the ego and hubris kick in and I feel this strange urge to make
sure these unknown coders are doing their jobs. If the site has a
relatively simple DB access system in place (file browser, etc), for grins
I'll change the ProductID=1278 (or whatever) to something non-numeric to see
how their system handles it.
Sadly enough, the majority of them don't.
Now, this is as far as it ever goes. I don't scan them for exploits. I
don't take the resulting DB error and try to hack into anything. I don't do
anything else to their site. I do, however, send them an email stating that
their coding is leaving them open to attack, because invariably the people
who don't have decent error checking are also running against an Access
back-end or something, and that's just *asking* for some script kiddie to
hit you. In my email I explain, very nicely, everything that I've explained
here, in addition to stating that, simply for my piece of mind and continued
uneventful use of their site, I'd be willing to help them fix their code pro
bono, no strings attached. I don't try to sell them some magic piece of
code to hack-proof their site, I don't try to sell them on some kind of
support plan, I just offer to do what I can to help.
Apparently, I'm not charismatic enough, because no one ever wants my help,
and to date no one I have emailed has bothered to fix their sites.
Sure, I get nice terse emails saying "thanks for pointing out the errors,
we'll forward them on to our programmer-types", but that's it. Months
later, I go back and their site is still broken. That saddens me greatly.
I mean, I don't have the time to fix every broken CF site on the 'net, but I
certainly have an hour or two to add a couple dozen lines of code to a site
here and there. And some of these sites are pretty darn cool! I'd be
ticked if one day I came along and got a message like "some idiot hacked
into our site and trashed the db, so we'll be down for a few days rebuilding
everything" and I couldn't use the site for that time. If someone emailed
me that I had a big gaping hole in a web app I'd written, I'd do my best to
drop everything and fix it. Then I'd send a nice email and see if I can get
an address to send some swag or something. I don't expect that I'll ever
get that kind of treatment, but that's what I'd do.
Anyway, I am *not* advocating that you go and try to find CF sites to hack
into or break. I *am* advocating that you take the time to send an email to
sites that you find that are broken. The majority of them won't bother to
do anything, but you still know you did your best to make the 'net one step
safer for other surfers. And you might get someone like me on the other end
that wants to send you free squishy-balls or something. You never know.
Sure, it's feel-good and mushy, but we're all in this together, folks.
Let's help eachother out.
-R
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
