Re: [ACFUG Discuss] Re: SQL injection in the recent news again

Mon, 21 Jul 2008 11:45:12 -0700

cfstoredproc will *not* prevent SQL injection. Stored procs are not magically immune, they too may be subject to SQL injection in the SP code itself. So the problem has moved from CF to the DB itself. Make sure you write your stored procs with protection from SQLi, as well. 

-dhs


Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"Dissent is the purest form of patriotism."
    --Thomas Jefferson



On Jul 21, 2008, at 2:37 PM, John Mason wrote:
Cfqueryparam or cfstoredproc will naturally prevent this, but you should also be logging these attack attempts to monitor the activity. Portcullis (portcullis.riaforge.org), a cfc filter, can do this. An even better option is to implement a web application firewall. 
John Mason
[EMAIL PROTECTED]
770.337.8363

www.FusionLink.com - ColdFusion and Flex hosting
Now offering VPS Plans running with VMware technology
Now offering ColdFusion 8 Enterprise hosting
FREE Subversion hosting
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas Knudsen 
Sent: Monday, July 21, 2008 1:46 PM
To: [email protected]
Subject: [ACFUG Discuss] Re: SQL injection in the recent news again

http://www.cfwhisperer.com/post.cfm/urgent-sql-injection-attack-vulnerability

DK
--
Douglas Knudsen
http://www.cubicleman.com
this is my signature, like it?

-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-------------------------------------------------------------

-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-------------------------------------------------------------




-------------------------------------------------------------
To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform 

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------

Reply via email to