True...there again it depends on how you write the storedproc. I stand corrected :)
John Mason [EMAIL PROTECTED] 770.337.8363 www.FusionLink.com - ColdFusion and Flex hosting Now offering VPS Plans running with VMware technology Now offering ColdFusion 8 Enterprise hosting FREE Subversion hosting -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean H. Saxe Sent: Monday, July 21, 2008 2:43 PM To: [email protected] Subject: Re: [ACFUG Discuss] Re: SQL injection in the recent news again cfstoredproc will *not* prevent SQL injection. Stored procs are not magically immune, they too may be subject to SQL injection in the SP code itself. So the problem has moved from CF to the DB itself. Make sure you write your stored procs with protection from SQLi, as well. -dhs Dean H. Saxe, CISSP, CEH [EMAIL PROTECTED] "Dissent is the purest form of patriotism." --Thomas Jefferson On Jul 21, 2008, at 2:37 PM, John Mason wrote: > Cfqueryparam or cfstoredproc will naturally prevent this, but you > should also be logging these attack attempts to monitor the activity. > Portcullis (portcullis.riaforge.org), a cfc filter, can do this. An > even better option is to implement a web application firewall. > John Mason > [EMAIL PROTECTED] > 770.337.8363 > > www.FusionLink.com - ColdFusion and Flex hosting Now offering VPS > Plans running with VMware technology Now offering ColdFusion 8 > Enterprise hosting FREE Subversion hosting > > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas > Knudsen > Sent: Monday, July 21, 2008 1:46 PM > To: [email protected] > Subject: [ACFUG Discuss] Re: SQL injection in the recent news again > > http://www.cfwhisperer.com/post.cfm/urgent-sql-injection-attack-vulner > ability > > DK > -- > Douglas Knudsen > http://www.cubicleman.com > this is my signature, like it? > > ------------------------------------------------------------- > To unsubscribe from this list, manage your profile @ > http://www.acfug.org?fa=login.edituserform > > For more info, see http://www.acfug.org/mailinglists Archive @ > http://www.mail-archive.com/discussion%40acfug.org/ > List hosted by FusionLink > ------------------------------------------------------------- > > ------------------------------------------------------------- > To unsubscribe from this list, manage your profile @ > http://www.acfug.org?fa=login.edituserform > > For more info, see http://www.acfug.org/mailinglists Archive @ > http://www.mail-archive.com/discussion%40acfug.org/ > List hosted by FusionLink > ------------------------------------------------------------- ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com ------------------------------------------------------------- ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -------------------------------------------------------------
