date:20080725

RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...

2008-07-25 Thread Dave Watts

> Interesting question:
> 
> 
> 
> This is commented query in the code: Do any of you think if 
> can process commented? I dont think so. But I am curious 
> these hackers can do crazy stuff. Probably I will get an 
> answer put in the commented query cfqueryparam or delete it :)

Code that is disabled by CFML comments isn't executed, and is therefore
perfectly safe.

Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/

Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309751
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Re: Forcing a page refresh even when the "back" button is used.

2008-07-25 Thread Pete Ruckelshaus

Fantastic, that did it!  Thanks!

On Fri, Jul 25, 2008 at 9:50 PM, MariusMilosav <[EMAIL PROTECTED]>wrote:

> Try also the following:
>  />
> 
> 
> 
>
>
> Regards
> Marius
>
> -Original Message-
> From: Pete Ruckelshaus [mailto:[EMAIL PROTECTED]
> Sent: July 25, 2008 9:15 PM
> To: CF-Talk
> Subject: Forcing a page refresh even when the "back" button is used.
>
> I'm trying to force a page to load from the server, no matter what...even
> if
> cached, even if the browser's back button is used, etc.  However, expiring
> the page via cfheader doesn't seem to be working:
>
> 
> Is there a sure-fire way to accomplish this?
>
> Thanks
>
> Pete
>
>
>
>
> 

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309750
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

Re: Is this a CF bug or just a Java behavior?

2008-07-25 Thread James Holmes

Did you just say you should NEVER do something?

And you hassled us for NEVER doing a query without a cfqueryparam. Typical.

On Sat, Jul 26, 2008 at 4:33 AM, Claude Schneegans wrote:

> As a basic principle in programing, one should never (and I really mean
> *never* ;-)
> compare floating values, especially when they are results of an operation.
>
> Instead of c EQ 6.2, one should use Abs (c - 6.2) LTE 0.01
> or anything equivalent.

-- 
mxAjax / CFAjax docs and other useful articles:
http://www.bifrost.com.au/blog/

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309749
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

Re: Is this a CF bug or just a Java behavior?

2008-07-25 Thread James Holmes

Add this to your demo:

Is val(c) EQ val(6.2): #val(c) EQ val(6.2)# 

Val() sorts this out for you.

On Sat, Jul 26, 2008 at 4:19 AM, Qasim Rasheed wrote:
> One of my fellow developer discovered some weird behaviour with ColdFusion
> number manipulation. Here is an example
>
> 
> 
> 
> 
> Value of c: #c# 
> Is c EQ 6.2: #c EQ 6.2# 
> ToString on c: #c.toString()# 
> 
>
> If you run this piece of code the first value will be 6.2, second will be a
> NO and then toString will result in 6.199.
>
> Isn't this a simple subtraction?
>
>
> 

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309748
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

RE: Forcing a page refresh even when the "back" button is used.

2008-07-25 Thread MariusMilosav

Try also the following:

 




Regards
Marius 

-Original Message-
From: Pete Ruckelshaus [mailto:[EMAIL PROTECTED] 
Sent: July 25, 2008 9:15 PM
To: CF-Talk
Subject: Forcing a page refresh even when the "back" button is used.

I'm trying to force a page to load from the server, no matter what...even if
cached, even if the browser's back button is used, etc.  However, expiring
the page via cfheader doesn't seem to be working:


Is there a sure-fire way to accomplish this?

Thanks

Pete




~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309747
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...

2008-07-25 Thread Pete Ruckelshaus

I just got hit by this on one of my older sites (inconsistent use of
cfqueryparam) yesterday.  I found an immensely helpful and very timely
posting here
http://russ.michaels.me.uk/index.cfm/2008/7/24/SQL-Injection-Attacks--How-to-protect_yourself
(I
believe "Snake" is a list participant).  I spent 7 hours editing all of my
queries to make sure I was using cfqueryparam consistently throughout, then
ran Snake's AMAZINGLY EFFECTIVE sql solution to clean up the
database...otherwise it would have been down to editing thousands of
database records.  Additionally, I switched all form transactions over to
POSTS and made sure everything was properly scoped.
In addition, I added a couple of scripts to my application.onRequestStart();
one of them ensures that the refering page on a POST transaction is from my
site:

  
   You have attempted to perform an illegal
operation.
   
  
The other script checks the URL and FORM scopes to ensure that it doesn't
contain anything nasty...basically the last code example from Snake's blog
posting, with some stuff added.

Pete


~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309746
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Re: WireFrame Viewer/Editor

2008-07-25 Thread Howard Fore

A Google for "Kevin Roche" and coldfusion comes up with the likely suspect.

On Fri, Jul 25, 2008 at 4:57 PM, Dan LeGate <[EMAIL PROTECTED]> wrote:

>  I was poking around sourceforge to see
> how to contact the author/s, but not having any luck, and the forum
> posts end in 2007, so I doubt anyone is watching those.
>
> Anyone know how I can get hold of them for help?  Or whether there's a
> newer version of this software elsewhere out there?




-- 
Howard Fore, [EMAIL PROTECTED]
"In any moment of decision, the best thing you can do is the right thing,
the next best thing is the wrong thing, and the worst thing you can do is
nothing." - Theodore Roosevelt


~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309745
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Forcing a page refresh even when the "back" button is used.

2008-07-25 Thread Pete Ruckelshaus

I'm trying to force a page to load from the server, no matter what...even if
cached, even if the browser's back button is used, etc.  However, expiring
the page via cfheader doesn't seem to be working:


Is there a sure-fire way to accomplish this?

Thanks

Pete


~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309744
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...

2008-07-25 Thread Radek Valachovic

Interesting question:



This is commented query in the code: Do any of you think if can process
commented? I dont think so. But I am curious these hackers can do crazy
stuff. Probably I will get an answer put in the commented query cfqueryparam
or delete it :)

Radek

On Thu, Jul 24, 2008 at 2:33 PM, Dave Watts <[EMAIL PROTECTED]> wrote:

> > So if I wont use maxlenght still it is gonna be secured?
>
> Yes.
>
> Dave Watts, CTO, Fig Leaf Software
> http://www.figleaf.com/
>
> Fig Leaf Software provides the highest caliber vendor-authorized
> instruction at our training centers in Washington DC, Atlanta,
> Chicago, Baltimore, Northern Virginia, or on-site at your location.
> Visit http://training.figleaf.com/ for more information!
>
> 

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309743
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...

2008-07-25 Thread Al Musella, DPM

I set up a scheduled task to check my database every 15 minutes.  It 
looks for my entry in the users table, and compares my email address 
and website address with what is in the database.  IF it differs, I 
get an email.   I did the same thing for 10 different tables.




> > > If I do find any vunerabilities, is there something I can run
> > > against the database to see if it has been infected?
> >



~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309742
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

Re: CFFILE

2008-07-25 Thread Simon Bailey









So here I use ExpandPath to find the directory that the current script  
resides and set the destination directory to store uploaded content to  
'uploads'.  I then check to see if the destination directory exists,  
if it doesn't I create it.

HTH

Simon


On 25 Jul 2008, at 23:21, Josh Nathanson wrote:

I think that the images directory has to exist already before you do the
CFFILE operation, in other words it won't create the directory for you.

-- Josh


- Original Message -
From: "Fawzi Amadu" <[EMAIL PROTECTED]>
To: "CF-Talk" 
Sent: Friday, July 25, 2008 3:10 PM
Subject: Re: CFFILE


> Thanks for the info> I changed my code as follows:
>
> CODE:
>
> filefield="uploadProductIMAGE"
> destination="C:\CFusionMX\wwwroot\e-Ghana\images\"
> nameconflict="makeunique">
>
> and I get the following error message:
>
>
>
> Attribute validation error for tag CFFILE.
> The value of the attribute destination, which is currently
> "C:\CFusionMX\wwwroot\e-Ghana\images\", is invalid.
>
> The error occurred in C:\CFusionMX7\wwwroot\e-Ghana 
> \testFileUpload.cfm:
> line 17
>
> 15 :  filefield="uploadProductIMAGE"
> 16 : destination="C:\CFusionMX\wwwroot\e-Ghana\images\"
> 17 : nameconflict="makeunique">
> 18 :
> 19 :  
>
>
>
>
>
>
>
>
>
>
>
>
>
>> From livedocs:
>>
>> destination: Pathname of directory in which to upload the file. If  
>> not
>> an absolute path (starting with a drive letter and a colon, or a  
>> forward
>> or backward slash), it is relative to the ColdFusion temporary
>> directory, which is returned by the GetTempDirectory function.
>>
>>
>> I have up written code to upload a file for my computer, but I am
>> getting an error that I do not understand. I used
>> destination="../images/"with the intention of saving the file in the
>> images folder of root of my site. Please help, TIA
>>
>> CODE:
>>
>> >filefield="uploadProductIMAGE"
>> destination="../images/"
>> nameconflict="makeunique">
>>
>>
>> ERROR MESSAGE:
>>
>> Attribute validation error for tag CFFILE.
>> The value of the attribute destination, which is currently "../ 
>> images/",
>> is invalid.
>>
>> The error occurred in C:\CFusionMX7\wwwroot\e-Ghana 
>> \testFileUpload.cfm:
>> line 15
>>
>> 13 :  filefield="uploadProductIMAGE"
>> 14 : destination="../images/"
>> 15 : nameconflict="makeunique">
>> 16 :
>> 17 :  
>
>



~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309741
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...

2008-07-25 Thread Al Musella, DPM

   I won't mention names but  a few popular websites I use have been 
hit..  one was down for 3 days now.

Recently I set up an annonymous ftp server.. I needed a few people to 
send me files and I thought that would be the easiest way.  the url 
was private - not published anywhere.. 2 days later my hard drive 
filled up. But i didn't see any files in the ftp directory.  They 
created a directory whose name was a blank space so a quick look 
wouldn't see any extra files there, but there were gigabytes of porn, 
movies and music in there. The funny thing is you can't delete a 
blank directory name from windows explorer, or even a command prompt. 
the trick is to go into a command prompt and do a directory that 
shows the dos version of the filename and delete that!
these people are slick.. we have to start fighting back somehow.




>The impact it has had on the net is negligible. Who can mention 3 sites
>that have been hit that you would have known about if you weren't a
>ColdFusion developer?
>
>The scale and coordination of the attacks are nothing new either. Mail
>servers have been under this sort of attack permanently for as long as I
>can remember. Just bring a blackhole mailserver online that appears to
>be an open relay and see what happens.
>
>The techniques used for (and against) this attack are nothing new. This
>attack has been running against pages with an .asp extension since May.
>It is just that only recently they switched from just attacking ASP to
>other extensions as well.



~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309740
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Re: CFFILE

2008-07-25 Thread Josh Nathanson

I think that the images directory has to exist already before you do the 
CFFILE operation, in other words it won't create the directory for you.

-- Josh


- Original Message - 
From: "Fawzi Amadu" <[EMAIL PROTECTED]>
To: "CF-Talk" 
Sent: Friday, July 25, 2008 3:10 PM
Subject: Re: CFFILE


> Thanks for the info> I changed my code as follows:
>
> CODE:
>
>  filefield="uploadProductIMAGE"
> destination="C:\CFusionMX\wwwroot\e-Ghana\images\"
> nameconflict="makeunique">
>
> and I get the following error message:
>
>
>
> Attribute validation error for tag CFFILE.
> The value of the attribute destination, which is currently 
> "C:\CFusionMX\wwwroot\e-Ghana\images\", is invalid.
>
> The error occurred in C:\CFusionMX7\wwwroot\e-Ghana\testFileUpload.cfm: 
> line 17
>
> 15 :  filefield="uploadProductIMAGE"
> 16 : destination="C:\CFusionMX\wwwroot\e-Ghana\images\"
> 17 : nameconflict="makeunique">
> 18 :
> 19 :  
>
>
>
>
>
>
>
>
>
>
>
>
>
>>From livedocs:
>>
>>destination: Pathname of directory in which to upload the file. If not
>>an absolute path (starting with a drive letter and a colon, or a forward
>>or backward slash), it is relative to the ColdFusion temporary
>>directory, which is returned by the GetTempDirectory function.
>>
>>
>>I have up written code to upload a file for my computer, but I am
>>getting an error that I do not understand. I used
>>destination="../images/"with the intention of saving the file in the
>>images folder of root of my site. Please help, TIA
>>
>>CODE:
>>
>>> filefield="uploadProductIMAGE"
>> destination="../images/"
>> nameconflict="makeunique">
>>
>>
>>ERROR MESSAGE:
>>
>>Attribute validation error for tag CFFILE.
>>The value of the attribute destination, which is currently "../images/",
>>is invalid.
>>
>>The error occurred in C:\CFusionMX7\wwwroot\e-Ghana\testFileUpload.cfm:
>>line 15
>>
>>13 :  filefield="uploadProductIMAGE"
>>14 : destination="../images/"
>>15 : nameconflict="makeunique">
>>16 :
>>17 :  
>
> 

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309739
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Re: CFFILE

2008-07-25 Thread Fawzi Amadu

Thanks for the info> I changed my code as follows:

CODE:



and I get the following error message:



 Attribute validation error for tag CFFILE.
The value of the attribute destination, which is currently 
"C:\CFusionMX\wwwroot\e-Ghana\images\", is invalid.
 
The error occurred in C:\CFusionMX7\wwwroot\e-Ghana\testFileUpload.cfm: line 17

15 :  filefield="uploadProductIMAGE"
16 : destination="C:\CFusionMX\wwwroot\e-Ghana\images\"
17 : nameconflict="makeunique">
18 : 
19 : 













>From livedocs:
>
>destination: Pathname of directory in which to upload the file. If not
>an absolute path (starting with a drive letter and a colon, or a forward
>or backward slash), it is relative to the ColdFusion temporary
>directory, which is returned by the GetTempDirectory function.
>
>
>I have up written code to upload a file for my computer, but I am
>getting an error that I do not understand. I used
>destination="../images/"with the intention of saving the file in the
>images folder of root of my site. Please help, TIA 
>
>CODE:
>
> filefield="uploadProductIMAGE"
>destination="../images/"
>nameconflict="makeunique">
>
>
>ERROR MESSAGE:
>
>Attribute validation error for tag CFFILE.  
>The value of the attribute destination, which is currently "../images/",
>is invalid.  
>  
>The error occurred in C:\CFusionMX7\wwwroot\e-Ghana\testFileUpload.cfm:
>line 15
> 
>13 :  filefield="uploadProductIMAGE"
>14 :destination="../images/"
>15 :nameconflict="makeunique">
>16 :
>17 :   

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309738
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

RE: CFFILE

2008-07-25 Thread Dave Francis

>From livedocs:

destination: Pathname of directory in which to upload the file. If not
an absolute path (starting with a drive letter and a colon, or a forward
or backward slash), it is relative to the ColdFusion temporary
directory, which is returned by the GetTempDirectory function.


-Original Message-
From: Fawzi Amadu [mailto:[EMAIL PROTECTED] 
Sent: Friday, July 25, 2008 4:45 PM
To: CF-Talk
Subject: CFFILE

I have up written code to upload a file for my computer, but I am
getting an error that I do not understand. I used
destination="../images/"with the intention of saving the file in the
images folder of root of my site. Please help, TIA 

CODE:




ERROR MESSAGE:

Attribute validation error for tag CFFILE.  
The value of the attribute destination, which is currently "../images/",
is invalid.  
  
The error occurred in C:\CFusionMX7\wwwroot\e-Ghana\testFileUpload.cfm:
line 15
 
13 :  filefield="uploadProductIMAGE"
14 : destination="../images/"
15 : nameconflict="makeunique">
16 : 
17 : 
 




~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309737
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

WireFrame Viewer/Editor

2008-07-25 Thread Dan LeGate

Just downloaded Kevin Roche's WireFrame Viewer/Editor from 
http://internap.dl.sourceforge.net/sourceforge/wireframetool/Wireframe_5_01.zip 
and am having a few problems.

I'm on Linux, so several references in the files go to lowercase 
filenames, whereas the files themselves are mixed case: 
../customtags/LessWhiteSpace.cfm is one, 
.../controller/wireframe/fbx_Settings.cfm is another (both referenced as 
all lowercase in the code).

These were fairly easy to fix, however now I'm getting:

Invalid list index 0.
In function ListSetAt(list, index [, delimiters]), the value of index, 
0, is not a valid as the first argument (this list has 4 elements). 
Valid indexes are in the range 1 through the number of elements in the list.
The error occurred in 
/var/www/html/wireframe/model/mWireframe/act_createpage.cfm: line 54

which is a little more daunting.  I was poking around sourceforge to see 
how to contact the author/s, but not having any luck, and the forum 
posts end in 2007, so I doubt anyone is watching those.

Anyone know how I can get hold of them for help?  Or whether there's a 
newer version of this software elsewhere out there?

Thanks,

Dan

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309736
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

Re: Is this a CF bug or just a Java behavior?

2008-07-25 Thread Ian Skinner

Qasim Rasheed wrote:
> Isn't this a simple subtraction?


Simple subtraction on a device that only understands two numbers - zero 
and one.  This isn't a ColdFusion nor Java thing but rather a computer 
thing and affects any and all systems that at their core rely on a 
binary representation of decimal numbers.  Do a quick search and you 
will find tons of Computer Science information on the whys and hows of 
this if you care to.



~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309735
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

CFFILE

2008-07-25 Thread Fawzi Amadu

I have up written code to upload a file for my computer, but I am getting an 
error that I do not understand. I used destination="../images/"with the 
intention of saving the file in the images folder of root of my site. Please 
help, TIA 

CODE:




ERROR MESSAGE:

Attribute validation error for tag CFFILE.  
The value of the attribute destination, which is currently "../images/", is 
invalid.  
  
The error occurred in C:\CFusionMX7\wwwroot\e-Ghana\testFileUpload.cfm: line 15
 
13 :  filefield="uploadProductIMAGE"
14 : destination="../images/"
15 : nameconflict="makeunique">
16 : 
17 : 
 


~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309734
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-25 Thread Radek Valachovic

Tell me about it I told one of my customers E- commerce store to backup
often DB (if u do some edits to DB make a backup!!!) and told him to buy
hard-drive or RAID 1 or RAID 5 solution to backup the DB ansd website, he
said no no no expensive, 6 days ago he got hit cause who made this site
never used cfqueryparams and I showed him what happenned. He freaked out and
told me buy those hard drives :)

They react after hit - always  Cause they wanna save money.

Thanks for the update of the .cfm gonna look at it.

Radek

On Fri, Jul 25, 2008 at 4:19 PM, Mary Jo Sminkey <[EMAIL PROTECTED]>
wrote:

> >Ok gonna check that out thanks.
>
> I just uploaded a new version that includes the cookie scope, and commonly
> used CGI vars as well.
>
> While this has been a headache to deal with, at least it might convince
> more of my customers to get around to updating their sites. ;-) It often
> doesn't matter how often you tell them that updating is important to keep
> their sites secure from attacks, they just don't want to spend the money to
> do it...until they actually get hit.
>
> --- Mary Jo
>
>
>
>
>
> 

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309733
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Re: Is this a CF bug or just a Java behavior?

2008-07-25 Thread Claude Schneegans

 >>If you run this piece of code the first value will be 6.2, second 
will be a
NO and then toString will result in 6.199.

This is neither a CF bug, neither a Java behavior.
This is a normal behavior in digital computers and the way real numbers 
are stored.
If #c# seems to be output correctly, it is probably because of rounding 
by CF.
But the test fails, because c is not exactly 6.2

As a basic principle in programing, one should never (and I really mean 
*never* ;-)
compare floating values, especially when they are results of an operation.

Instead of c EQ 6.2, one should use Abs (c - 6.2) LTE 0.01
or anything equivalent.

-- 
___
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: [EMAIL PROTECTED])
Thanks.


~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309732
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-25 Thread Mary Jo Sminkey

>Ok gonna check that out thanks.

I just uploaded a new version that includes the cookie scope, and commonly used 
CGI vars as well. 

While this has been a headache to deal with, at least it might convince more of 
my customers to get around to updating their sites. ;-) It often doesn't matter 
how often you tell them that updating is important to keep their sites secure 
from attacks, they just don't want to spend the money to do it...until they 
actually get hit. 

--- Mary Jo





~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309731
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Is this a CF bug or just a Java behavior?

2008-07-25 Thread Qasim Rasheed

One of my fellow developer discovered some weird behaviour with ColdFusion
number manipulation. Here is an example





Value of c: #c# 
Is c EQ 6.2: #c EQ 6.2# 
ToString on c: #c.toString()# 


If you run this piece of code the first value will be 6.2, second will be a
NO and then toString will result in 6.199.

Isn't this a simple subtraction?


~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309730
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

RE: Custom Tags

2008-07-25 Thread Steve LaBadie

Duh!!

Steve LaBadie, Web Manager
East Stroudsburg University
200 Prospect St.
East Stroudsburg, Pa 18301
570-422-3999
[EMAIL PROTECTED]
http://www.esu.edu
-Original Message-
From: Ian Skinner [mailto:[EMAIL PROTECTED] 
Sent: Friday, July 25, 2008 3:50 PM
To: CF-Talk
Subject: Re: Custom Tags

Steve LaBadie wrote:
> I have a CustomTag called iPoll.cfm. Not sure if I should choose the
> Register Java CFX or Register C++ CFX. Does it matter?

Yes it matters and you choose . drum role please  neither.

Java CFX are for Custom Tags written in ahem Java and C++ CFX are for 
Custom Tags written in viola C++

CFML tags do not need to be registered, just dropped into a Custom Tag 
or web root path.




~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309729
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-25 Thread Radek Valachovic

Ok gonna check that out thanks.

On Fri, Jul 25, 2008 at 3:40 PM, Mary Jo Sminkey <[EMAIL PROTECTED]>
wrote:

> >What do you think about this solution for sites with 5000 files:
>
> This looks similar to the solution I am providing to my customers (I have a
> lot that run old releases that are not as well protected as my current one
> and have little desire to either update their software *or* the code). I
> used the RedEx that Gabriel posted (sorry, don't know your last name as I
> read this list online, let me know and I'll add that to the credits!) and
> made a URL/Form scanner that will abort the page if it finds anything
> illegal. This looks quite a bit more sophisticated, so it depends on how
> much you are getting hit, and how aggressive you want to get.
>
> My simple tool is here, feel free to download and modify as you wish.
>
> http://www.cfwebstore.com/index.cfm?fuseaction=page.download&downloadID=17
>
> --- Mary Jo
>
>
> 

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309728
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Re: Custom Tags

2008-07-25 Thread Ian Skinner

Steve LaBadie wrote:
> I have a CustomTag called iPoll.cfm. Not sure if I should choose the
> Register Java CFX or Register C++ CFX. Does it matter?

Yes it matters and you choose . drum role please  neither.

Java CFX are for Custom Tags written in ahem Java and C++ CFX are for 
Custom Tags written in viola C++

CFML tags do not need to be registered, just dropped into a Custom Tag 
or web root path.


~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309727
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

RE: Custom Tags

2008-07-25 Thread Dave Watts

> I have a CustomTag called iPoll.cfm. Not sure if I should 
> choose the Register Java CFX or Register C++ CFX. Does it matter?

You don't register CFML custom tags. You either put them in a specified
custom tags directory, or reference them within your code using the CFMODULE
tag, or specify a tag directory in your code using FIMPORT, or specify a tag
directory using the new attributes in Application.cfc in CF8.

Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/

Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309726
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-25 Thread Mary Jo Sminkey

>What do you think about this solution for sites with 5000 files:

This looks similar to the solution I am providing to my customers (I have a lot 
that run old releases that are not as well protected as my current one and have 
little desire to either update their software *or* the code). I used the RedEx 
that Gabriel posted (sorry, don't know your last name as I read this list 
online, let me know and I'll add that to the credits!) and made a URL/Form 
scanner that will abort the page if it finds anything illegal. This looks quite 
a bit more sophisticated, so it depends on how much you are getting hit, and 
how aggressive you want to get.

My simple tool is here, feel free to download and modify as you wish. 

http://www.cfwebstore.com/index.cfm?fuseaction=page.download&downloadID=17

--- Mary Jo


~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309725
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

Custom Tags

2008-07-25 Thread Steve LaBadie

I have a CustomTag called iPoll.cfm. Not sure if I should choose the
Register Java CFX or Register C++ CFX. Does it matter?

 

Steve LaBadie, Web Manager
East Stroudsburg University
200 Prospect St.
East Stroudsburg, Pa 18301
570-422-3999
[EMAIL PROTECTED]  
http://www.esu.edu  

 



~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309724
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-25 Thread Radek Valachovic

I requested that code from them earlier, so in case I will receive it, gonna
send it to you.

RAdek

On Fri, Jul 25, 2008 at 2:42 PM, Radek Valachovic <[EMAIL PROTECTED]>
wrote:

> That's what I thought same thing, temporary fix. Thanks for checking that
> out and posting scanners.
>
>
> On Fri, Jul 25, 2008 at 2:42 PM, Dave Watts <[EMAIL PROTECTED]> wrote:
>
>> > What do you think about this solution for sites with 5000 files
>>
>> It may be satisfactory for a temporary fix, to give you enough time to fix
>> your 5000 files. It is almost certainly unsuitable as a permanent
>> solution.
>> This part is fairly vague:
>>
>> "Checks all FORM and URL input for SQL injection code"
>>
>> What does that mean, exactly? Also, this doesn't protect against injection
>> strings in the Cookie or CGI scopes.
>>
>> Dave Watts, CTO, Fig Leaf Software
>> http://www.figleaf.com/
>>
>> Fig Leaf Software provides the highest caliber vendor-authorized
>> instruction at our training centers in Washington DC, Atlanta,
>> Chicago, Baltimore, Northern Virginia, or on-site at your location.
>> Visit http://training.figleaf.com/ for more information!
>>
>> 

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309723
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

Re: Report Builder Question

2008-07-25 Thread Mike Greider

Thank you for your help. I've played around with it for days now. Basically, I 
can get the information to only show on the last page without issue. However, 
when all of the fields have the "remove line when blank" option selected, the 
report still has all of the whitespace on each of the previous pages. If I 
shrink the entire band down to nothing and then add the option to allow to 
grow, then nothing displays (which is different than than the detail band).

It's frustrating.

Mike

> Yes, it sucks that the option is not available for the entire band.  
> For it to suppress the footer, you have to set all of the fields' 
> "Remove line when blank" property to "true" in the footer section.  
> Also if there is blank space between your fields/lines try adding 
> "dummy" labels with just a "space" for the text value and place it 
> between your "blank" sections of the footer and be sure the set those 
> field's "Remove line when blank" to true as well. 
> 
> Hope this helps.
> 
> -Carlos
> 
> > It does prevent the text from being displayed, but the whitespace is 
> 
> > still present. As far as I can see, there is no way to set that 
> option 
> > on the entire footer, just all of the contents inside the footer.
> > 
> > Thanks for the suggestion. I'm happy to try any option!
> > 
> > >Hi,
> > >
> > >Try setting the footer text "Remove line when blank" property to 
> true.
> > 
> > >
> > >-Carlos 


~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309722
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-25 Thread Al Musella, DPM

OK.. You are right.. drop my request..

but I would request 3 other enhancements to dreamweaver to make these 
changes easier:
1. Put the sql queryparam on the main  CF toolbar..
2. When you right click the file name in the Files area you can 
select PUT..   I would like to add that functionality to the tab with 
the filename on the top toolbar.  So you can right click the tab and 
select put, instead of having to search in the list for the file name.
3. When I  open a page that has an object tag on it, I get a warning 
that I screwed up  and would I like dreamweaver to fix it.  How about 
adding  to that a checking for cfqueryparams when you save a page 
with cfquerries in it and warn when there are none?









I think I got it under control.. at least on my most popular 
sites.  Luckily the others are way down in the google rankings..  



~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309721
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-25 Thread Radek Valachovic

That's what I thought same thing, temporary fix. Thanks for checking that
out and posting scanners.

On Fri, Jul 25, 2008 at 2:42 PM, Dave Watts <[EMAIL PROTECTED]> wrote:

> > What do you think about this solution for sites with 5000 files
>
> It may be satisfactory for a temporary fix, to give you enough time to fix
> your 5000 files. It is almost certainly unsuitable as a permanent solution.
> This part is fairly vague:
>
> "Checks all FORM and URL input for SQL injection code"
>
> What does that mean, exactly? Also, this doesn't protect against injection
> strings in the Cookie or CGI scopes.
>
> Dave Watts, CTO, Fig Leaf Software
> http://www.figleaf.com/
>
> Fig Leaf Software provides the highest caliber vendor-authorized
> instruction at our training centers in Washington DC, Atlanta,
> Chicago, Baltimore, Northern Virginia, or on-site at your location.
> Visit http://training.figleaf.com/ for more information!
>
> 

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309720
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-25 Thread Dave Watts

> What do you think about this solution for sites with 5000 files

It may be satisfactory for a temporary fix, to give you enough time to fix
your 5000 files. It is almost certainly unsuitable as a permanent solution.
This part is fairly vague:

"Checks all FORM and URL input for SQL injection code"

What does that mean, exactly? Also, this doesn't protect against injection
strings in the Cookie or CGI scopes.

Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/

Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309719
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-25 Thread Brad Wood

Thanks Ben.

I just got done posting it on my blog just in case.  Both scanners can be 
found here:
http://www.codersrevolution.com/index.cfm/2008/7/25/Today-is-Operation-cfSQLprotect

~Brad

- Original Message - 
From: "Ben Forta" <[EMAIL PROTECTED]>
To: "CF-Talk" 
Sent: Friday, July 25, 2008 1:33 PM
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben 
Forta


> RIAForge is back up ...
> 

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309718
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-25 Thread Ben Forta

RIAForge is back up ...

-Original Message-
From: Radek Valachovic [mailto:[EMAIL PROTECTED] 
Sent: Friday, July 25, 2008 2:20 PM
To: CF-Talk
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta

I have it installed already, but other guys in forums asking for scanner so
I suggest that one and when I came to riaforge it didnt work so I was
wondering why. Thanks anyway, but I think on your new page u should post it
there too to download from your server or blog with credits of RiaForge.

Radek

On Fri, Jul 25, 2008 at 2:20 PM, Brad Wood <[EMAIL PROTECTED]> wrote:

> Hmm, it appears to be down-- and Ray is on vacation.  I can post it on my
> blog temporarily if I need to.
>
> Today is Operation cf_SQLprotect!
>
>
http://www.codersrevolution.com/index.cfm/2008/7/24/Announcing-the-first-eve
r-International-Operation-cfSQLprotect
>
> ~Brad
>
> - Original Message -
> From: "Radek Valachovic" <[EMAIL PROTECTED]>
> To: "CF-Talk" 
> Sent: Friday, July 25, 2008 1:11 PM
> Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
> Forta
>
>
> > RiaForge.org doesnt work, tryied to get the cfqueryparam scanner:
> >
> > http://qpscanner.riaforge.org/
> >
> > anybody knows what happenned?
> >
> > Radek
>
>
> 



~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309717
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-25 Thread Radek Valachovic

What do you think about this solution for sites with 5000 files:

http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9259

and scroll to or just press CTRL+F and find on the page:

Luis Melo Says:
July 24th, 2008 at 9:51
am

What do you think about it?

On Fri, Jul 25, 2008 at 2:20 PM, Radek Valachovic <[EMAIL PROTECTED]>
wrote:

> I have it installed already, but other guys in forums asking for scanner so
> I suggest that one and when I came to riaforge it didnt work so I was
> wondering why. Thanks anyway, but I think on your new page u should post it
> there too to download from your server or blog with credits of RiaForge.
>
> Radek
>
>
> On Fri, Jul 25, 2008 at 2:20 PM, Brad Wood <[EMAIL PROTECTED]> wrote:
>
>> Hmm, it appears to be down-- and Ray is on vacation.  I can post it on my
>> blog temporarily if I need to.
>>
>> Today is Operation cf_SQLprotect!
>>
>> http://www.codersrevolution.com/index.cfm/2008/7/24/Announcing-the-first-ever-International-Operation-cfSQLprotect
>>
>> ~Brad
>>
>> - Original Message -
>> From: "Radek Valachovic" <[EMAIL PROTECTED]>
>> To: "CF-Talk" 
>> Sent: Friday, July 25, 2008 1:11 PM
>> Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
>> Forta
>>
>>
>> > RiaForge.org doesnt work, tryied to get the cfqueryparam scanner:
>> >
>> > http://qpscanner.riaforge.org/
>> >
>> > anybody knows what happenned?
>> >
>> > Radek
>>
>>
>> 

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309716
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-25 Thread Radek Valachovic

I have it installed already, but other guys in forums asking for scanner so
I suggest that one and when I came to riaforge it didnt work so I was
wondering why. Thanks anyway, but I think on your new page u should post it
there too to download from your server or blog with credits of RiaForge.

Radek

On Fri, Jul 25, 2008 at 2:20 PM, Brad Wood <[EMAIL PROTECTED]> wrote:

> Hmm, it appears to be down-- and Ray is on vacation.  I can post it on my
> blog temporarily if I need to.
>
> Today is Operation cf_SQLprotect!
>
> http://www.codersrevolution.com/index.cfm/2008/7/24/Announcing-the-first-ever-International-Operation-cfSQLprotect
>
> ~Brad
>
> - Original Message -
> From: "Radek Valachovic" <[EMAIL PROTECTED]>
> To: "CF-Talk" 
> Sent: Friday, July 25, 2008 1:11 PM
> Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
> Forta
>
>
> > RiaForge.org doesnt work, tryied to get the cfqueryparam scanner:
> >
> > http://qpscanner.riaforge.org/
> >
> > anybody knows what happenned?
> >
> > Radek
>
>
> 

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309715
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-25 Thread Brad Wood

Hmm, it appears to be down-- and Ray is on vacation.  I can post it on my 
blog temporarily if I need to.

Today is Operation cf_SQLprotect!
http://www.codersrevolution.com/index.cfm/2008/7/24/Announcing-the-first-ever-International-Operation-cfSQLprotect

~Brad

- Original Message - 
From: "Radek Valachovic" <[EMAIL PROTECTED]>
To: "CF-Talk" 
Sent: Friday, July 25, 2008 1:11 PM
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben 
Forta


> RiaForge.org doesnt work, tryied to get the cfqueryparam scanner:
>
> http://qpscanner.riaforge.org/
>
> anybody knows what happenned?
>
> Radek


~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309714
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-25 Thread Brad Wood

I don't believe DMBS's like MSSQL have a single statement option.  As it has 
already been pointed out, MySQL does and it is the default.

The setting is on a per connection level.  If you are using MySQL and know 
that most of the time you will only have one statement, then create two 
datasource-- one that allows it and one that does not.  Use as needed.  The 
inherent problem with any of this is it still require the programmer to:
1) use the correct datasource and not be lazy
2) properly secure the queries that allow the multiple statements and not be 
lazy

Worst of all, not all SQL injection attacks require a second statement!!!

Many attacks use a union to pull additional data out in a select and that is 
_totally_ allowed in MySQL in single statement mode.

Basically, the we as the programmers don't get out of this one.  We have to 
be relied upon to consistently do SOMETHING whether it is use the correct 
datasource etc.

So here's the thing, if you are going to go through trouble to do ANYTHING, 
just make sure that we always use cfqueryparam-- that is the only option 
that will always work without many gotcha's.  I think that is energy better 
spent.

~Brad

- Original Message - 
From: "Claude Schneegans" <[EMAIL PROTECTED]>
To: "CF-Talk" 
Sent: Friday, July 25, 2008 12:46 PM
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben 
Forta


> >>I have to hand it to Claude - he definitely has confidence
>
> Well, unless ODBC and JDBC have some function to enable/disable multi
> statements,
> It would certainly be much trouble to implement this in CF.
> I've checked rapidly in the ODBC docs, and I don't see any reference to
> multi statement.
>
> Anyway, if the option was available, it shouldn't be the default, for 
> sure.
>


~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309713
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-25 Thread Radek Valachovic

RiaForge.org doesnt work, tryied to get the cfqueryparam scanner:

http://qpscanner.riaforge.org/

anybody knows what happenned?

Radek

On Fri, Jul 25, 2008 at 1:46 PM, Claude Schneegans <
[EMAIL PROTECTED]> wrote:

>  >>I have to hand it to Claude - he definitely has confidence
>
> Well, unless ODBC and JDBC have some function to enable/disable multi
> statements,
> It would certainly be much trouble to implement this in CF.
> I've checked rapidly in the ODBC docs, and I don't see any reference to
> multi statement.
>
> Anyway, if the option was available, it shouldn't be the default, for sure.
>
> --
> ___
> REUSE CODE! Use custom tags;
> See http://www.contentbox.com/claude/customtags/tagstore.cfm
> (Please send any spam to this address: [EMAIL PROTECTED])
> Thanks.
>
>
> 

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309712
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-25 Thread Claude Schneegans

 >>I have to hand it to Claude - he definitely has confidence

Well, unless ODBC and JDBC have some function to enable/disable multi 
statements,
It would certainly be much trouble to implement this in CF.
I've checked rapidly in the ODBC docs, and I don't see any reference to 
multi statement.

Anyway, if the option was available, it shouldn't be the default, for sure.

-- 
___
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: [EMAIL PROTECTED])
Thanks.


~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309711
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-25 Thread Claude Schneegans

 >>That is more a function of the db.

Exact, and I don't see how CF could prevent from multiple execution.
It should compile the SQL code for that, and it does not.
Unless ODBC/JDBC drivers have a function to disable it.

-- 
___
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: [EMAIL PROTECTED])
Thanks.


~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309710
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-25 Thread Mark Kruger

I have to hand it to Claude - he definitely has confidence :)


-Original Message-
From: Claude Schneegans [mailto:[EMAIL PROTECTED] 
Sent: Friday, July 25, 2008 12:15 PM
To: CF-Talk
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta

 >>  how about changing cfquery so that by default, only ONE sql  >>statment
can be sent.  Let us override that with a parameter in  >>cfquery or a
cfprocessing driective type of thing in our application.cfm..

Pretty good idea.

 >>I doubt many people use multiple sql statements in one cfquery,

Also note that certain databses, like Access won't allow multiple statements
anyway.
. I know, I know, some ayatollah will say "NEVER use *Access*"...

--
___
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: [EMAIL PROTECTED]) Thanks.




~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309709
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-25 Thread Radek Valachovic

Is there a kind of way to stop the botnet from spamming websites? Hacker has
to stop it? or right now if it is automated is there any way?

Radek

On Fri, Jul 25, 2008 at 12:56 PM, Dave Watts <[EMAIL PROTECTED]> wrote:

> > Seeing as how this type of sql injection attack is
> > succeeding so much (even my favorite fishing website has been
> > down for days due to it (it is a .cfm site))...
> >   how about changing cfquery so that by default, only ONE sql
> > statment can be sent.  Let us override that with a parameter
> > in cfquery or a cfprocessing driective type of thing in our
> > application.cfm..
>
> The problem with this, as Jochem points out, is that it would require CF to
> parse SQL. This is a losing battle, as each database will do different
> things when given an SQL batch. What if databases automatically escape
> Unicode character sequences? Then CF would have to do the same.
>
> Dave Watts, CTO, Fig Leaf Software
> http://www.figleaf.com/
>
> Fig Leaf Software provides the highest caliber vendor-authorized
> instruction at our training centers in Washington DC, Atlanta,
> Chicago, Baltimore, Northern Virginia, or on-site at your location.
> Visit http://training.figleaf.com/ for more information!
>
> 

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309708
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-25 Thread Claude Schneegans

 >>  how about changing cfquery so that by default, only ONE sql
 >>statment can be sent.  Let us override that with a parameter in
 >>cfquery or a cfprocessing driective type of thing in our 
application.cfm..

Pretty good idea.

 >>I doubt many people use multiple sql statements in one cfquery,

Also note that certain databses, like Access won't allow multiple 
statements anyway.
 I know, I know, some ayatollah will say
"NEVER use *Access*"...

-- 
___
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: [EMAIL PROTECTED])
Thanks.


~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309707
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

RE: cfpdf update title metadata--

2008-07-25 Thread Stone, Lori

Hello?  Is this thing on???
I know someone has to have updated the metadata for a pdf before.  Yes,
I am very frustrated :)
Anyone have any ideas as to why it is updating the windows properties
and not the pdf properties???  

Chandan Kumar are you around
 
-Lori


-Original Message-
From: Stone, Lori 
Sent: Friday, July 25, 2008 11:07 AM
To: CF-Talk
Subject: cfpdf update title metadata--HELP

I am using cfpdf to update the metadata for a bunch of pdf files.  It is
updating the title in the windows properties but not the pdf properties.
This is not working well with the verity search.  Am I doing something
wrong or is there another way to do this?  

 



 













Could not update







File does not exist!



 

Thanks!

Lori

 





~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309706
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-25 Thread Robert Harrison

Sorry for the outburst, but that scared me. I could just see me telling all
my clients, well, that used to work. Sorry about that. :-)



Robert B. Harrison
Director of Interactive services
Austin & Williams
125 Kennedy Drive, Suite 100 Hauppauge NY 11788
T : 631.231.6600 Ext. 119 
F : 631.434.7022
www.austin-williams.com

Great advertising can't be either/or... It must be &.

-Original Message-
From: Matt Quackenbush [mailto:[EMAIL PROTECTED] 
Sent: Friday, July 25, 2008 12:42 PM
To: CF-Talk
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta

+Infinity.

(I'd add some sort of really intelligent comment, but, well, Robert already
covered that part.)


On Fri, Jul 25, 2008 at 11:14 AM, Robert Harrison wrote:

> > how about changing cfquery so that by default...
>
> NO NO NO NO NO NO NO NO
>
> I've use nested SQL all the time, and I've got over 100 web sites up.
> Validate and use REREPLACE and CFQUERYPARAM and you're fine.
> Don't ever make a function change that kills existing code written
> correctly.
>




~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309705
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-25 Thread Dave Watts

> Seeing as how this type of sql injection attack is 
> succeeding so much (even my favorite fishing website has been 
> down for days due to it (it is a .cfm site))...
>   how about changing cfquery so that by default, only ONE sql 
> statment can be sent.  Let us override that with a parameter 
> in cfquery or a cfprocessing driective type of thing in our 
> application.cfm..

The problem with this, as Jochem points out, is that it would require CF to
parse SQL. This is a losing battle, as each database will do different
things when given an SQL batch. What if databases automatically escape
Unicode character sequences? Then CF would have to do the same.

Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/

Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309704
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-25 Thread Matt Quackenbush

+Infinity.

(I'd add some sort of really intelligent comment, but, well, Robert already
covered that part.)


On Fri, Jul 25, 2008 at 11:14 AM, Robert Harrison wrote:

> > how about changing cfquery so that by default...
>
> NO NO NO NO NO NO NO NO
>
> I've use nested SQL all the time, and I've got over 100 web sites up.
> Validate and use REREPLACE and CFQUERYPARAM and you're fine.
> Don't ever make a function change that kills existing code written
> correctly.
>


~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309703
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-25 Thread Greg Morphis

If you spent more time securing your variables then it wouldnt be much
of a problem..
E.G if you create a database field lname char(50), in CF check the
length before passing that variable to your CFQUERY..
There's isnumeric() to check for numbers, there's ways to help protect
yourself from this without going to the extreme that you suggest
>
> - Original Message -
> From: "Al Musella, DPM" <[EMAIL PROTECTED]>
> To: "CF-Talk" 
> Sent: Friday, July 25, 2008 9:04 AM
> Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
> Forta
>
>
>> Ben,
>>Seeing as how this type of sql injection attack is succeeding so
>> much (even my favorite fishing website has been down for days due to
>> it (it is a .cfm site))...
>>  how about changing cfquery so that by default, only ONE sql
>> statment can be sent.  Let us override that with a parameter in
>> cfquery or a cfprocessing driective type of thing in our application.cfm..
>>
>> I doubt many people use multiple sql statements in one cfquery, and
>> those that do are probably advanced enough to know to add the
>> parameter for allowing it..
>>
>> You can call this enhancement request cf_trainingWheels
>>
>>
>> How many people out there group together (intentionally) multiple sql
>> statements in one cfquery?  (Like "select email from users where
>> id=1; drop table users")
>>
>> Al
>>
>>
>>
>>
>>
>>
>
> 

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309702
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-25 Thread Josh Nathanson

That is more a function of the db.  I know that by default, MySQL does not 
allow multiple sql statements.  You have to change a setting to allow this.

I suppose this could be added to CF as well, but it would have to allow 
multiples by default, so that it would be backwards compatible.  So you'd 
still have to remember to switch it off.

-- Josh


- Original Message - 
From: "Al Musella, DPM" <[EMAIL PROTECTED]>
To: "CF-Talk" 
Sent: Friday, July 25, 2008 9:04 AM
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben 
Forta


> Ben,
>Seeing as how this type of sql injection attack is succeeding so
> much (even my favorite fishing website has been down for days due to
> it (it is a .cfm site))...
>  how about changing cfquery so that by default, only ONE sql
> statment can be sent.  Let us override that with a parameter in
> cfquery or a cfprocessing driective type of thing in our application.cfm..
>
> I doubt many people use multiple sql statements in one cfquery, and
> those that do are probably advanced enough to know to add the
> parameter for allowing it..
>
> You can call this enhancement request cf_trainingWheels
>
>
> How many people out there group together (intentionally) multiple sql
> statements in one cfquery?  (Like "select email from users where
> id=1; drop table users")
>
> Al
>
>
>
>
>
> 

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309701
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-25 Thread Jochem van Dieten

Al Musella, DPM wrote:
> Seeing as how this type of sql injection attack is succeeding so 
> much (even my favorite fishing website has been down for days due to 
> it (it is a .cfm site))...
>   how about changing cfquery so that by default, only ONE sql 
> statment can be sent.

That is a *very* bad idea since it would require CF to understand SQL. 
And not just SQL as the standard defines it, but every dialect 
implemented by every database. There is no way that CF would be able to 
reliably do that.

If you want an example of how bad this would be just try and see what 
happens if you take one of your current datasources, go to advanced 
properties and unselect every operation except SELECT. Then run the 
following statements:

-- x
DROP TABLE x

SELECT 'test some string ; DROP c' FROM x

SET nocount on
DROP TABLE x
SET nocount off

ColdFusion is a CFML engine. Everything that isn't CFML should be 
treated as opaque. (And the current 'feature' to limit SQL operations 
should be ripped out.)

Jochem

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309700
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-25 Thread John Rossi

I also use this to get the new key on inserted records, and have used
cfqueryparam for years to protect against this sort of attack, and for
performance reasons.

Functionality shouldn't be sacrificed just to protect careless developers
from themselves.

John

-Original Message-
From: Dave Francis [mailto:[EMAIL PROTECTED] 
Sent: Friday, July 25, 2008 12:16 PM
To: CF-Talk
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta

I find it useful on occasion with INSERT then SELECT @IDENTITY

-Original Message-
From: Al Musella, DPM [mailto:[EMAIL PROTECTED]
Sent: Friday, July 25, 2008 12:05 PM
To: CF-Talk
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta

Ben,
Seeing as how this type of sql injection attack is succeeding so much
(even my favorite fishing website has been down for days due to it (it is a
..cfm site))...
  how about changing cfquery so that by default, only ONE sql statment can
be sent.  Let us override that with a parameter in cfquery or a cfprocessing
driective type of thing in our application.cfm..

I doubt many people use multiple sql statements in one cfquery, and those
that do are probably advanced enough to know to add the parameter for
allowing it..

You can call this enhancement request cf_trainingWheels


How many people out there group together (intentionally) multiple sql
statements in one cfquery?  (Like "select email from users where id=1; drop
table users")

Al

  







~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309699
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-25 Thread Dave Francis

I find it useful on occasion with INSERT then SELECT @IDENTITY

-Original Message-
From: Al Musella, DPM [mailto:[EMAIL PROTECTED] 
Sent: Friday, July 25, 2008 12:05 PM
To: CF-Talk
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To
Ben Forta

Ben,
Seeing as how this type of sql injection attack is succeeding so
much (even my favorite fishing website has been down for days due to it
(it is a .cfm site))...
  how about changing cfquery so that by default, only ONE sql statment
can be sent.  Let us override that with a parameter in cfquery or a
cfprocessing driective type of thing in our application.cfm..

I doubt many people use multiple sql statements in one cfquery, and
those that do are probably advanced enough to know to add the parameter
for allowing it..

You can call this enhancement request cf_trainingWheels

How many people out there group together (intentionally) multiple sql
statements in one cfquery?  (Like "select email from users where id=1;
drop table users")

Al

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309698
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-25 Thread Robert Harrison

> how about changing cfquery so that by default... 

NO NO NO NO NO NO NO NO

I've use nested SQL all the time, and I've got over 100 web sites up. 
Validate and use REREPLACE and CFQUERYPARAM and you're fine.
Don't ever make a function change that kills existing code written
correctly.


Robert B. Harrison
Director of Interactive services
Austin & Williams
125 Kennedy Drive, Suite 100 Hauppauge NY 11788
T : 631.231.6600 Ext. 119 
F : 631.434.7022
www.austin-williams.com

Great advertising can't be either/or... It must be &.




~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309697
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta

2008-07-25 Thread Al Musella, DPM

Ben,
Seeing as how this type of sql injection attack is succeeding so 
much (even my favorite fishing website has been down for days due to 
it (it is a .cfm site))...
  how about changing cfquery so that by default, only ONE sql 
statment can be sent.  Let us override that with a parameter in 
cfquery or a cfprocessing driective type of thing in our application.cfm..

I doubt many people use multiple sql statements in one cfquery, and 
those that do are probably advanced enough to know to add the 
parameter for allowing it..

You can call this enhancement request cf_trainingWheels


How many people out there group together (intentionally) multiple sql 
statements in one cfquery?  (Like "select email from users where 
id=1; drop table users")

Al

  



~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309696
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

RE: Using a function outsideof the call page.

2008-07-25 Thread Dave Phillips

>>Dave, Thanks. Is one preferred over the other? Is one more friendly to
understand when reading the code?

Matthew,

I also forgot you could create a custom tag as well. :)

Shannon is right, cfinclude is probably the 'simplest'.  However, you could
start a weeks long discussion on this forum about which is 'preferred' or
'better'.  Bottom line, is - it's your code so do it in the way that you
feel is most supportable in your environment.  I've had managers that didn't
like CFC's at all and wanted everything in includes.  I've had managers that
couldn't stand includes and wanted CFCs.  

There is *at least* one huge advantage of using CFC's over using includes,
and that is that variables are localized to a CFC and cannot be seen, nor
can they alter other variables in your .CFM page.  However, truth be told,
if all you have inside your .CFM is  and you use  to
define each of your variables inside each function, then, at the very least,
you are not going to 'overwrite' any variables used in your .CFM, however,
it could happen by another programmer that might come along behind you.

I prefer CFCs and think they are simple and easy to use, it's just a matter
of getting used to a new way of calling your functions.

Now, if I *really* wanted to get people going on this forum on this topic, I
would say something like, "You should ALWAYS use CFCs" or "You should NEVER
use CFINCLUDES" but I would never really say anything like that unless it
was just to have some Friday Fun. ;-)

Dave


~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309695
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

Re: Using a function outsideof the call page.

2008-07-25 Thread Shannon Peevey

>>Dave
> Dave,
> Thanks. Is one peffered over the other? Is one more friendly to 
> understand when reading the code?
>

The cfinclude idea is the simplest.  You are just including "normal"
coldfusion code into the file.  I tend to use the various options for
different things within the same application.

speeves

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309694
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Re: Using a function outsideof the call page.

2008-07-25 Thread Matthew MattCFIrwin

>>> I am currently calling a cffunction that is on the same page using myVar = GetVar(Toy)>. The GetVar is written on the same page. However I want
>to call another function the same way but it is on a diffrent page. Is there
>a way of calling it with out having to copy and past it into this page?
>Thanks
>
>Matthew,
>
>You can use a CFC.  Create a file called:  user_functions.cfc (or whatever
>you want to call it).
>
>
>   
>    your function code here
>   
>
>
>Now when you want to call it, you can either use  to call it, or
>you can use createObject() to create a variable that represents the CFC and
>then call the function with that variable, like this:
>
>
>
>
>Use those lines of code in both your pages.
>
>There are plenty of best practices on the net for CFCs and where you put
>them and naming conventions and so on, but this is the basics for you
>anyway.  You can look up the docs for CFINVOKE if you'd rather use it.
>
>Dave
Dave,
 Thanks. Is one peffered over the other? Is one more friendly to understand 
when reading the code? 

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309693
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Re: Using a function outsideof the call page.

2008-07-25 Thread Yuliang Ruan

put your funtion declaration in a shared file include it.   or put the include 
if your application cfm/cfc.

just start making your own function libraries :) 

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309692
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

cfpdf update title metadata--HELP

2008-07-25 Thread Stone, Lori

I am using cfpdf to update the metadata for a bunch of pdf files.  It is
updating the title in the windows properties but not the pdf properties.
This is not working well with the verity search.  Am I doing something
wrong or is there another way to do this?  

 



 













Could not update







File does not exist!



 

Thanks!

Lori

 



~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309691
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

RE: Using a function outsideof the call page.

2008-07-25 Thread Dave Phillips

>> I am currently calling a cffunction that is on the same page using 
>> . The GetVar is written on the same page. 
>> However I want to call another function the same way but it is on a 
>> diffrent page. Is there a way of calling it with out having to copy 
>> and past it into this page? Thanks 

>put the function in a shared scope, as in session.foo(doSomething).

Matthew,

Yet another method would be to create a separate file, put your function in
that file, and then do a  of that file for each page you want to
use it on.  As you can see, there are a number of ways you can accomplish
this.

You could also put it in the application scope as well.

Dave


~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309690
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

RE: Using a function outsideof the call page.

2008-07-25 Thread Dave Phillips

>> I am currently calling a cffunction that is on the same page using . The GetVar is written on the same page. However I want
to call another function the same way but it is on a diffrent page. Is there
a way of calling it with out having to copy and past it into this page?
Thanks

Matthew,

You can use a CFC.  Create a file called:  user_functions.cfc (or whatever
you want to call it).



 your function code here



Now when you want to call it, you can either use  to call it, or
you can use createObject() to create a variable that represents the CFC and
then call the function with that variable, like this:




Use those lines of code in both your pages.

There are plenty of best practices on the net for CFCs and where you put
them and naming conventions and so on, but this is the basics for you
anyway.  You can look up the docs for CFINVOKE if you'd rather use it.

Dave


~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309689
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Re: Using a function outsideof the call page.

2008-07-25 Thread Larry Lyons

> I am currently calling a cffunction that is on the same page using 
> . The GetVar is written on the same page. 
> However I want to call another function the same way but it is on a 
> diffrent page. Is there a way of calling it with out having to copy 
> and past it into this page? Thanks 

put the function in a shared scope, as in session.foo(doSomething).

hth,
larry


~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309688
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Re: Using a function outsideof the call page.

2008-07-25 Thread Shannon Peevey

On Fri, Jul 25, 2008 at 8:36 AM, Matthew Irwin <[EMAIL PROTECTED]> wrote:
> I am currently calling a cffunction that is on the same page using  myVar = GetVar(Toy)>. The GetVar is written on the same page. However I want 
> to call another function the same way but it is on a diffrent page. Is there 
> a way of calling it with out having to copy and past it into this page? Thanks
>
> 

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309687
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Using a function outsideof the call page.

2008-07-25 Thread Matthew Irwin

I am currently calling a cffunction that is on the same page using . The GetVar is written on the same page. However I want to call 
another function the same way but it is on a diffrent page. Is there a way of 
calling it with out having to copy and past it into this page? Thanks 

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309686
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

Barclays ePDQ MPI Integration

2008-07-25 Thread Paul Giesenhagen

Heya Folks,

Has anyone out there had any success in connecting via XML to BarclayCards ePDQ 
MPI?

Having some troubles and would like some help . .. example code would be 
tremendous...

Thank you in advance

Paul


~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309685
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Re: how to reduce PDF size?

2008-07-25 Thread Stephen Hait

>  needed.  The problem I find is that there is no images what-so-ever and a
>  250 page document is about 200k.  Is this as good as it gets?  I'm curious

That actually seems pretty good based on my experience. I've seen
documents only one or two pages long with no graphics that are this
size. I'm wondering how you get them so small.

Stephen

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309684
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Re: Spry screen dimmer effect

2008-07-25 Thread Walter Conti

>Please advise about Spry screen dimmer effect.
>Does it exists?
>Thank you.

Thank You Mary Jo :-) 

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309683
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

69 matches

Mail list logo