CommonSpot question
Hey all, I know there's at least a couple of CommonSpot users on here, who might be able to answer a question.. :) Is there a way to restrict what a CommonSpot Authoring server pushes to the ROP servers? My government client is having an issue where a web.config file is getting pushed up to ROPs, which mungs up the ROP configuration. Thanks Scott Stewart -- -- Scott Stewart Adobe Certified Instructor, ColdFusion 8 9 Adobe Certified Expert, ColdFusion 8 9 Blog: http://www.sstwebworks.com Email: webmas...@sstwebworks.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359551 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
cfqueryparam EncodeForHTML
Text input field Entry is Johnson Johnson's I store it in a table using cfqueryparam. All is good. Let's say the hacked entry is Johnson Johnson's;delete * (or something akin to that - you get the drift) I use cfqueryparam but it won't catch the hack; it's still just a string. At some point, before storing or after retrieval, I use EncodeForHTML to make that safe. Now I have either Johnson amp; Johnson#x27;s or Johnson amp; Johnson#x27;s#x3b;delete #x2a; Supposedly, that's safe. Regex could strip out the delete or kill the thing when I tried to save the data in the first place, but I tried several examples and none seemed to work. The thing is, Johnson amp; Johnson#x27;s may display correctly on the screen but it's not good for a search function, particularly if I have a legacy database. To parody a commercial for a different product, what are you using for protection? Larry V. Stephen ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359552 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Non-profit donation providers
I use paypal.. Couldn't be easier, and they give a discount on the rates to nonprofits... however, there is one big problem... Bad people have been using my donation form to test stolen credit cards. They use the stolen credit cards to make a small donation to see if the cards work. I have the security set so they need address verification as well as the security code and still many get through. When someone complains of fraud, paypal removes the donation and a big fee (aorund $25.. I forget the exact amount)... and threatens me that they will cut off my account if my fraud rate doesn't go down.. I called them and they offer no help at all. So what I do now is have my server send an email to my phone when a donation is made. If it looks suspicious, I click a link in the email that will ban that IP address from making a successful donation (anything they try gets them a page that says the donation failed. ) Then I go back and reverse any donations that got through with that IP address or amount around that time. Most of the time they are all the same amount.. We have a $5 minimum, so they are mostly $5. Before I had a minimum, they were usually $1. I also allow only 3 attempts per IP address per day.. even if successful - it will alert me and I check to verify the donations they made were good. Hi Folks Any recommendations for church/non-profit online donations, especially recurring donations? Thanks Rob Robert J. Voyle, Psy.D. Director, Clergy Leadership Institute For Coaching and Training in Appreciative Inquiry Author: Restoring Hope: Appreciative Strategies to Resolve Grief and Resentment http://www.appreciativeway.com/ 503-647-2378 or 503-647-2382 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359553 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Using HighCharts.js with cfdocument
Does anyone have experience getting HighCharts.js to work with cfdocument? We would like to display the charts on printed reports or emails and are not sure if we should go the Phantom.js route that it (briefly) describes within the HighCharts.js documentation or if there are other options using CF. Whatever you're doing, I'd love to see an example with HighCharts.js and CF working together to get a printed report or email. Thanks in advance. Dan ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359554 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: cfqueryparam EncodeForHTML
Read up on how query param works. It will protect against Johnson Johnson's;delete * On 11/3/14, 12:41 PM, Stephens, Larry V wrote: Text input field Entry is Johnson Johnson's I store it in a table using cfqueryparam. All is good. Let's say the hacked entry is Johnson Johnson's;delete * (or something akin to that - you get the drift) I use cfqueryparam but it won't catch the hack; it's still just a string. At some point, before storing or after retrieval, I use EncodeForHTML to make that safe. Now I have either Johnson amp; Johnson#x27;s or Johnson amp; Johnson#x27;s#x3b;delete #x2a; Supposedly, that's safe. Regex could strip out the delete or kill the thing when I tried to save the data in the first place, but I tried several examples and none seemed to work. The thing is, Johnson amp; Johnson#x27;s may display correctly on the screen but it's not good for a search function, particularly if I have a legacy database. To parody a commercial for a different product, what are you using for protection? Larry V. Stephen ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359555 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: cfqueryparam EncodeForHTML
Larry, You are already using cfqueryparam so you are protected for the most part. I say most part, because you could still extract the data from the db and have bad consequences if you are not considerate of the underlying data and how you use it. Like querying malicious data and using it in another cfquery without cfqueryparam. In general it is best practice to save data as it was transmitted and in as raw a format as possible and leave the logic up to the application on how to proceess and present data. Could get rebuttals on that but it is my preference. That said, it's not that you shouldn't or can't html encode. You just need to make the decision based on the requirements at hand. If you're storing html code for presentation later, this may very well make sense, where doing so for a company name probably does not. +1 on being so security aware. Byron ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359556 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm