I read a blog entry a few months ago from a hacker who attacked facebook or myspace (I forget which) over a period of many months. Unfortunately I have lost the link but it went into explicit detail how he would attack the site, perform some evil deed, facebook would figure out the vulnerability and code against the attack string he was using, and then he would engineer a new attack. In general, he was able to do less damage with each attack. However, his tenacity and wasted intelligence were impressive - his attacks went way beyond what you see in blogs like "5 ways to prevent SQL injection attacks".
If you are going to allow users to post text it is obviously very important to do string trapping as it protects against many of the worst attacks (cfqueryparam is not enough). But, reading the blog made me realize trying to trap "bad" strings (including hex strings) was never going to be 100% effective in itself. More food for thought: http://www.0x000000.com/index.php?i=297&bin=100101001 --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the "Houston ColdFusion Users' Group" discussion list. To unsubscribe, send email to [EMAIL PROTECTED] For more options, visit http://groups.google.com/group/houcfug?hl=en -~----------~----~----~----~------~----~------~--~---
