Last night I watched as someone made a pretty determined attempt to
attack one of my web sites. Thankfully I'd heeded good advice and
used cfqueryparam on all the queries in that site and nothing they
tried worked.They were submitting urls with parameters like :
Have an interesting problem that no end of trawling the net has solved for
me.
Have a form that has 6 select boxes on it. I want to check that the user has
selected at least one option from any of the six select boxes (doesn't
matter which one but must be at least one from any dropdown).
(in JavaScript, called on the form tag: form onsubmit=return
validateMyForm(this); )
function validateMyForm(frm) {
var selectTest = false;
if (frm.select1.selectedIndex 0) {
var selectTest = true;
} else if (frm.select2.selectedIndex 0) {
var selectTest = true;
} else if
if
Right.
However about CFQUERYPARAM, keep in mind that:
- this will prevent SQL injection, not all form of attacks;
- CFQUERYPARAM makes all values look like parameter 1... in the error
messages, instead of the real values, not really handful when debugging;
- CFQUERYPARAM makes all queries more
- CFQUERYPARAM makes all values look like parameter 1... in the error
messages, instead of the real values, not really handful when debugging;
- CFQUERYPARAM makes all queries more difficult to write AND to read for
programmers;
Are you implying that cfqueryparam _shouldn't_ be used for
Are you implying that cfqueryparam _shouldn't_ be used for these reasons??
No, I'm just saying that there are better and more efficient ways of fighting
attacks.
I use cfqueryparam on some occasions, but not everywhere blindly.
- CFQUERYPARAM makes all queries more difficult to write AND to read for
programmers;
I couldn't disagree more with this statement. Aside from the protection
benefits, the use of cfqueryparam creates bound sql parameters, which improve
query performance. I don't disagree with your suggestion
- CFQUERYPARAM makes all values look like parameter 1... in the error
messages, instead of the real values, not really handful when debugging;
There are parsers that will show the actual queries with values. My favorite
is the one that Ben Nadel wrote. It is a little JS bookmark widget.
-
In case anyone is interested. This is the JS bookmark widget that parses
Queryparam debugging info. Very handy.
http://www.bennadel.com/blog/459-Merging-ColdFusion-SQL-Debugging-And-Query-Params-With-Javascript.htm
HTH
G!
On Mon, May 2, 2011 at 9:14 AM, Gerald Guido gerald.gu...@gmail.com
Ok. I'll respect your opinion.
But for anyone new to CF that may read this, I don't believe there is a
debate about using cfqueryparam. My impression is that the settled majority
best practice is to use it blindly, use it everywhere rather than not use
it, or use it sparingly, or not use it
Just for the record, I use other techniques to protect my sites too
but in this case, i was outlining what saved me in this case.
Clearly there are a bazillion ways nasty people can do damage or
exploit weaknesses in sites.
In this case, I was grateful that I hadn't given in to the temptation
to
As an interesting aside, the same ip address started trying to probe
my mail server a few minutes ago, and my version of cfformprotect
picked it up and added the ip address to the banned ips. Now that
same ip address is banned from using any forms on any site I
administer.
Again, they get no
Den -
Thanks for the info. I'd never heard of JExcelAPI but I've used Jasper on some
previous Java-based contracts and, yes, it's great.
Problem is that this client is on shared hosting (CrystalTech) so my ability to
install 3rd-party libraries is essentially zero. Unless someone knows of a
Mike, out of curiosity, what seems to be motivating these attacks? Malware
injections? Hacker cred? Revenge or grudge? Or just to vandalize and do
damage? It seems like a LOT of effort. I am also surprised that they are
using the same IP for so long and not changing proxies.
Thanx
G!
On Mon,
I dont know what the motivation is. All I've seen is repeated
attempts to inject stuff into the database - never getting anywhere.
So that means all the attempts so far are simply attempts to get at
passwords or schema. I'm supposing once they get a look at the
database they'll be able to
However about CFQUERYPARAM, keep in mind that:
- this will prevent SQL injection, not all form of attacks;
- CFQUERYPARAM makes all values look like parameter 1... in the error
messages, instead of the real values, not really handful when debugging;
- CFQUERYPARAM makes all queries more
The site is still running happily now, after about 8 hours of this. I
don't know why they persisted for that long with no result - I would
have thought there were other targets they could go for if they're
getting no result here.
Chances are, it was an automated attack - the attacker might
The program architect assigned to our account sent me a bunch of
samples for various calls - this helped a lot, but they are, of
course, far from complete, documented, or anything approaching obvious
on which to use.
There are a lot of soap packet examples in the wiki, and if you trace
cfqueryparam creates bound sql parameters, which improve query performance.
This is purely theoretical, in practice, the gain in performance is neglectible.
I prefer have a query to take 11 ms and see the values submitted in case of
error, than having the same query take 10 ms, but no
And we prefer to hack Schneegans apps. :D
On Mon, May 2, 2011 at 1:10 PM, wrote:
cfqueryparam creates bound sql parameters, which improve query
performance.
This is purely theoretical, in practice, the gain in performance is
neglectible.
I prefer have a query to take 11 ms and see the
Hi Folks,
We're doing some research on Facebook integration with our CMS / CRM
application and I wanted to run a question by you all.
A client of ours wants to know the feasibility of having the contact info of
their members update automatically in our application when those members
update
On Mon, May 2, 2011 at 11:10 AM, wrote:
cfqueryparam creates bound sql parameters, which improve query performance.
This is purely theoretical, in practice, the gain in performance is
neglectible.
I prefer have a query to take 11 ms and see the values submitted in case of
error, than
Hello there.
We're researching the feasibility of integrating our CF based CMS / CRM
application with MS Word and I want to get a sense of how easy / hard this
might be.
An example of the kind of thing that we would want to achieve would be to
allow a client to use a web editor (e.g. CKEditor)
We are looking at a Win 2008 VPS for some low traffic hobby sites and for
general dev purposes and I was wondering if one gig of ram would suffice.
I would most probably be running IIS 7, Mysql 5.5 (or MSSQL 2008 Express),
CF9 std. and possibly a name server and/or a (S)FTP server. I would only
cfqueryparam creates bound sql parameters, which improve query performance.
This is purely theoretical, in practice, the gain in performance is
neglectible.
I prefer have a query to take 11 ms and see the values submitted in case of
error, than having the same query take 10 ms, but no
I've been tearing my hair out all day with this.
I have an Excel file that will be uploaded each day by one user who logs in and
uploads it via a form. The Excel file has multiple worksheets. The names of
the worksheets and even the columns will change and I won't be privy to these
changes.
I almost always see a significant gain in query performance - at least on
all versions of MSSQL - as much as 20-30 percent in some cases.
Mark A. Kruger, MCSE, CFG
(402) 408-3733 ext 105
www.cfwebtools.com
www.coldfusionmuse.com
www.necfug.com
-Original Message-
From: Dave Watts
I generally see a pretty significant gain on Oracle as well.
Thanks,
Eric Cobb
http://www.cfgears.com
Help me make a difference this summer - http://bit.ly/i8dJvQ
On 5/2/2011 3:27 PM, Mark A. Kruger wrote:
I almost always see a significant gain in query performance - at least on
all
As with soo many things on this forum... the answer is usually - Ben Nadel
Ben wrote a wrapper for a java package that interfaces with Excel, called
POI
http://www.bennadel.com/projects/poi-utility.htm
http://www.bennadel.com/projects/poi-utility.htmIt's pretty badass, point
it at an Excel
Thanks. I found that earlier today and actually tried it out but numerous
errors frustrated me. I'm dealing with MX 6.1 and even though I found and
applied a fix to the CFC for 6.1, I just got a different error down the line.
I am really hoping to just be able to display the Excel file within
I am really hoping to just be able to display the Excel
file within the page,
Is there a reason you cannot just read in the file as binary. Then display it
inline with cfcontent and correct mime header (assuming the user's browser
settings allow ...)?
if you were only running IIS and CF it might possibly cope, but in general I
have found that 2GB is a minimum for windows 2008 as you will also be
running MySQL and MSSQL, then I would say you definitely need 2GB minimum. I
presume you will be running 64bit, which also uses more RAM.
But don't
It is definitely possible because Android and Gmail will sync with your
facebook contacts.
I would suggest you start here http://developers.facebook.com/
http://developers.facebook.com/
On Mon, May 2, 2011 at 7:18 PM, Nick Gleason n.glea...@citysoft.com wrote:
Hi Folks,
We're doing some
If 32 Bit, go 4GB. We ran Windows 2008 with CF8 on 2GB... it did not cut it.
Needed 4GB.
-Original Message-
From: Russ Michaels [mailto:r...@michaels.me.uk]
Sent: Monday, May 02, 2011 3:20 PM
To: cf-talk
Subject: Re: CF 9 on Win 2008 w/1 gig of ram
if you were only running IIS and CF
Sure, your MS Access DB doesn't cache execution plans, but real databases do.
On Tuesday, 3 May 2011, wrote:
cfqueryparam creates bound sql parameters, which improve query performance.
This is purely theoretical, in practice, the gain in performance is
neglectible.
I prefer have a
On Mon, May 2, 2011 at 2:10 PM, wrote:
cfqueryparam creates bound sql parameters, which improve query
performance.
This is purely theoretical, in practice, the gain in performance is
neglectible.
I prefer have a query to take 11 ms and see the values submitted in case of
error, than
Yes, your error messages may need some help, but a combination
of usage and proper error handling (too often ignored) can go a long
way towards saving your bacon.
Perhaps I'm going a little overboard, but my personal philosophy is
that it shouldn't be possible for an end-user to generate a
Hi,
Anyone know how to pass file name to the bulkload when sqlserver and coldfision
servers are on different physical servers; The following xml load works when
both SQl and CF servers are residing on the same physical server.
- How I can refer to the local file where sqlserver can access it?
38 matches
Mail list logo
