>MaryJo produces a product that she supports on older platforms, hence
>the need to bypass cfqueryparam.
Actually, that's not really the issue so much as customers that are running
older versions of my software that don't have all the text inputs covered with
cfqueryparams. While this is certai
I have a client who reluctantly upgraded to CF5 from CF4.0 last year
(yes, that would be 2007) because an sysadmin _accidentally_ upgraded,
and they couldn't find the original 4.0 disks. While they'd like to
upgrade to CF7 or CF8, the cost of migrating the many, many apps they
have is cost prohibit
Goodness sakes-- cfqueryparam has been around since ColdFusion 4.5.1. How
far back does she need to support? :)
~Brad
- Original Message -
From: "Cutter (CFRelated)" <[EMAIL PROTECTED]>
To: "CF-Talk"
Sent: Monday, July 28, 2008 2:56 PM
Subject: Re: (ot)
MaryJo produces a product that she supports on older platforms, hence
the need to bypass cfqueryparam.
Steve "Cutter" Blades
Adobe Certified Professional
Advanced Macromedia ColdFusion MX 7 Developer
_
http://blog.cutterscrossing.com
Robert Harrison wrote:
>> Version
> Version 2 of the scanner I did is now available here:
http://www.cfwebstore.com/index.cfm?fuseaction=page.download&downloadID=18
Am I missing something here. I thought CFQUERYPARAM solved this problem. Is
this redundant or is there some problem with CFQUERYPARAM I'm missing?
Robert B. Harriso
>This has *not* been heavily tested as of yet, so use at your own risk!
There was a little mistake in the scanner I posted earlier that could cause it
to hang, if anyone downloaded it before, please grab the updated copy.
In just some basic iteration checking, the new version does appear to be
Version 2 of the scanner I did is now available here:
http://www.cfwebstore.com/index.cfm?fuseaction=page.download&downloadID=18
This has *not* been heavily tested as of yet, so use at your own risk!
--- Mary Jo
~|
Adobe® C
>The code on my blog is a working example, but it's not
>"drop in" ready - you would still need to check the form and cookie scope
>for example... So either way you will need to do some tweaking to get it to
>work for you situation.
I'm going to post an updated version of my tool later today, just
do some tweaking to get it to
work for you situation.
-Mark
-Original Message-
From: Che Vilnonis [mailto:[EMAIL PROTECTED]
Sent: Monday, July 28, 2008 9:01 AM
To: CF-Talk
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
Thanks Mark. So, the function c
o: CF-Talk
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
Gabriel... would you post the page in complete working order with your code
modifications? Thanks!
-Original Message-
From: Gabriel [mailto:[EMAIL PROTECTED]
Sent: Sunday, July 27, 2008 8:05 PM
To: CF
Scractching My Head... To Ben
Forta
Gabriel... would you post the page in complete working order with your code
modifications? Thanks!
-Original Message-
From: Gabriel [mailto:[EMAIL PROTECTED]
Sent: Sunday, July 27, 2008 8:05 PM
To: CF-Talk
Subject: RE: (ot) URL Hack Attempt Leaves Me
Gabriel... would you post the page in complete working order with your code
modifications? Thanks!
-Original Message-
From: Gabriel [mailto:[EMAIL PROTECTED]
Sent: Sunday, July 27, 2008 8:05 PM
To: CF-Talk
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
lto:[EMAIL PROTECTED]
Sent: Sunday, July 27, 2008 7:05 PM
To: CF-Talk
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
To anyone who happened to use the regex I posted earlier I have an updated
method to be used in place, effective immediately.
// Short list of d
-Talk
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
To anyone who happened to use the regex I posted earlier I have an updated
method to be used in place, effective immediately.
// Short list of db objects to protect
DBObj.short = 'database|function|procedure
>This will fix a problem in which a long string containing too many back
>references for non-word chars can cause a stack overflow. As much as I love
>CF, I find the native regex implementation sadly lacking.
Thanks for the update... I'm not sure if any of my customers are using a host
that disab
hat I get being
drawn into posting code I hadn't had a chance to fully test. If anyone has
problems with, or enhancements to the above, please let me know.
Also, thank you to Mary Jo for adding me to the credits. My surname is Read
FYI in case you still desire to include me.
Regards,
Gabriel
> Interesting question:
>
>
>
> This is commented query in the code: Do any of you think if
> can process commented? I dont think so. But I am curious
> these hackers can do crazy stuff. Probably I will get an
> answer put in the commented query cfqueryparam or delete it :)
Code that is disa
I just got hit by this on one of my older sites (inconsistent use of
cfqueryparam) yesterday. I found an immensely helpful and very timely
posting here
http://russ.michaels.me.uk/index.cfm/2008/7/24/SQL-Injection-Attacks--How-to-protect_yourself
(I
believe "Snake" is a list participant). I spent
Interesting question:
This is commented query in the code: Do any of you think if can process
commented? I dont think so. But I am curious these hackers can do crazy
stuff. Probably I will get an answer put in the commented query cfqueryparam
or delete it :)
Radek
On Thu, Jul 24, 2008 at 2:33
I set up a scheduled task to check my database every 15 minutes. It
looks for my entry in the users table, and compares my email address
and website address with what is in the database. IF it differs, I
get an email. I did the same thing for 10 different tables.
> > > If I do find any v
I won't mention names but a few popular websites I use have been
hit.. one was down for 3 days now.
Recently I set up an annonymous ftp server.. I needed a few people to
send me files and I thought that would be the easiest way. the url
was private - not published anywhere.. 2 days later
Tell me about it I told one of my customers E- commerce store to backup
often DB (if u do some edits to DB make a backup!!!) and told him to buy
hard-drive or RAID 1 or RAID 5 solution to backup the DB ansd website, he
said no no no expensive, 6 days ago he got hit cause who made this site
never us
>Ok gonna check that out thanks.
I just uploaded a new version that includes the cookie scope, and commonly used
CGI vars as well.
While this has been a headache to deal with, at least it might convince more of
my customers to get around to updating their sites. ;-) It often doesn't matter
ho
Ok gonna check that out thanks.
On Fri, Jul 25, 2008 at 3:40 PM, Mary Jo Sminkey <[EMAIL PROTECTED]>
wrote:
> >What do you think about this solution for sites with 5000 files:
>
> This looks similar to the solution I am providing to my customers (I have a
> lot that run old releases that are not
>What do you think about this solution for sites with 5000 files:
This looks similar to the solution I am providing to my customers (I have a lot
that run old releases that are not as well protected as my current one and have
little desire to either update their software *or* the code). I used t
I requested that code from them earlier, so in case I will receive it, gonna
send it to you.
RAdek
On Fri, Jul 25, 2008 at 2:42 PM, Radek Valachovic <[EMAIL PROTECTED]>
wrote:
> That's what I thought same thing, temporary fix. Thanks for checking that
> out and posting scanners.
>
>
> On Fri, Ju
OK.. You are right.. drop my request..
but I would request 3 other enhancements to dreamweaver to make these
changes easier:
1. Put the sql queryparam on the main CF toolbar..
2. When you right click the file name in the Files area you can
select PUT.. I would like to add that functionality t
That's what I thought same thing, temporary fix. Thanks for checking that
out and posting scanners.
On Fri, Jul 25, 2008 at 2:42 PM, Dave Watts <[EMAIL PROTECTED]> wrote:
> > What do you think about this solution for sites with 5000 files
>
> It may be satisfactory for a temporary fix, to give yo
> What do you think about this solution for sites with 5000 files
It may be satisfactory for a temporary fix, to give you enough time to fix
your 5000 files. It is almost certainly unsuitable as a permanent solution.
This part is fairly vague:
"Checks all FORM and URL input for SQL injection code
ot;
Sent: Friday, July 25, 2008 1:33 PM
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
> RIAForge is back up ...
>
~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic rel
RIAForge is back up ...
-Original Message-
From: Radek Valachovic [mailto:[EMAIL PROTECTED]
Sent: Friday, July 25, 2008 2:20 PM
To: CF-Talk
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
I have it installed already, but other guys in forums asking for
t
>>
>> ~Brad
>>
>> - Original Message -
>> From: "Radek Valachovic" <[EMAIL PROTECTED]>
>> To: "CF-Talk"
>> Sent: Friday, July 25, 2008 1:11 PM
>> Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To B
/24/Announcing-the-first-ever-International-Operation-cfSQLprotect
>
> ~Brad
>
> - Original Message -
> From: "Radek Valachovic" <[EMAIL PROTECTED]>
> To: "CF-Talk"
> Sent: Friday, July 25, 2008 1:11 PM
> Subject: Re: (ot) URL Hack Attempt L
: "Radek Valachovic" <[EMAIL PROTECTED]>
To: "CF-Talk"
Sent: Friday, July 25, 2008 1:11 PM
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
> RiaForge.org doesnt work, tryied to get the cfqueryparam scanner:
>
> http://qpscan
rgy better
spent.
~Brad
- Original Message -
From: "Claude Schneegans" <[EMAIL PROTECTED]>
To: "CF-Talk"
Sent: Friday, July 25, 2008 12:46 PM
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
> >>I have to hand it to Claude - he d
RiaForge.org doesnt work, tryied to get the cfqueryparam scanner:
http://qpscanner.riaforge.org/
anybody knows what happenned?
Radek
On Fri, Jul 25, 2008 at 1:46 PM, Claude Schneegans <
[EMAIL PROTECTED]> wrote:
> >>I have to hand it to Claude - he definitely has confidence
>
> Well, unless O
>>I have to hand it to Claude - he definitely has confidence
Well, unless ODBC and JDBC have some function to enable/disable multi
statements,
It would certainly be much trouble to implement this in CF.
I've checked rapidly in the ODBC docs, and I don't see any reference to
multi statement.
An
>>That is more a function of the db.
Exact, and I don't see how CF could prevent from multiple execution.
It should compile the SQL code for that, and it does not.
Unless ODBC/JDBC drivers have a function to disable it.
--
___
REUSE CODE! Use custom tags;
See
I have to hand it to Claude - he definitely has confidence :)
-Original Message-
From: Claude Schneegans [mailto:[EMAIL PROTECTED]
Sent: Friday, July 25, 2008 12:15 PM
To: CF-Talk
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
>> how about ch
Is there a kind of way to stop the botnet from spamming websites? Hacker has
to stop it? or right now if it is automated is there any way?
Radek
On Fri, Jul 25, 2008 at 12:56 PM, Dave Watts <[EMAIL PROTECTED]> wrote:
> > Seeing as how this type of sql injection attack is
> > succeeding so mu
>> how about changing cfquery so that by default, only ONE sql
>>statment can be sent. Let us override that with a parameter in
>>cfquery or a cfprocessing driective type of thing in our
application.cfm..
Pretty good idea.
>>I doubt many people use multiple sql statements in one cfquery,
9
F : 631.434.7022
www.austin-williams.com
Great advertising can't be either/or... It must be &.
-Original Message-
From: Matt Quackenbush [mailto:[EMAIL PROTECTED]
Sent: Friday, July 25, 2008 12:42 PM
To: CF-Talk
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
For
> Seeing as how this type of sql injection attack is
> succeeding so much (even my favorite fishing website has been
> down for days due to it (it is a .cfm site))...
> how about changing cfquery so that by default, only ONE sql
> statment can be sent. Let us override that with a paramete
+Infinity.
(I'd add some sort of really intelligent comment, but, well, Robert already
covered that part.)
On Fri, Jul 25, 2008 at 11:14 AM, Robert Harrison wrote:
> > how about changing cfquery so that by default...
>
> NO NO NO NO NO NO NO NO
>
> I've use nested SQL all the time, and
from this without going to the extreme that you suggest
>
> - Original Message -
> From: "Al Musella, DPM" <[EMAIL PROTECTED]>
> To: "CF-Talk"
> Sent: Friday, July 25, 2008 9:04 AM
> Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head.
you'd
still have to remember to switch it off.
-- Josh
- Original Message -
From: "Al Musella, DPM" <[EMAIL PROTECTED]>
To: "CF-Talk"
Sent: Friday, July 25, 2008 9:04 AM
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
>
Al Musella, DPM wrote:
> Seeing as how this type of sql injection attack is succeeding so
> much (even my favorite fishing website has been down for days due to
> it (it is a .cfm site))...
> how about changing cfquery so that by default, only ONE sql
> statment can be sent.
That is a *ve
Dave Francis [mailto:[EMAIL PROTECTED]
Sent: Friday, July 25, 2008 12:16 PM
To: CF-Talk
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
I find it useful on occasion with INSERT then SELECT @IDENTITY
-Original Message-
From: Al Musella, DPM [mailto:[
I find it useful on occasion with INSERT then SELECT @IDENTITY
-Original Message-
From: Al Musella, DPM [mailto:[EMAIL PROTECTED]
Sent: Friday, July 25, 2008 12:05 PM
To: CF-Talk
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To
Ben Forta
Ben,
Seeing as how this
> how about changing cfquery so that by default...
NO NO NO NO NO NO NO NO
I've use nested SQL all the time, and I've got over 100 web sites up.
Validate and use REREPLACE and CFQUERYPARAM and you're fine.
Don't ever make a function change that kills existing code written
correctly.
R
Ben,
Seeing as how this type of sql injection attack is succeeding so
much (even my favorite fishing website has been down for days due to
it (it is a .cfm site))...
how about changing cfquery so that by default, only ONE sql
statment can be sent. Let us override that with a parameter in
Yes Exactly, Run the current attack, I am doing it to see how am I securing
the site and it works!
HAppy Attacking :)
On Thu, Jul 24, 2008 at 3:39 PM, Dave Watts <[EMAIL PROTECTED]> wrote:
> > If I do find any vunerabilities, is there something I can run
> > against the database to see if it has
> If I do find any vunerabilities, is there something I can run
> against the database to see if it has been infected?
Well, for the current attack, you would look at your
varchar/nvarchar/text/ntext columns to see if anything's been appended to
them. This should be fairly easy to identify.
Dave
Al Musella, DPM wrote:
> I can't believe this isn't a big news story.. it has been the focus
> of my life for the last 48 hours:)
To be a big news story, it would have to be big and new. It is neither.
The impact it has had on the net is negligible. Who can mention 3 sites
that have been hit th
I noticed since I started securing the site also with tha cfif EXEC, I have
lower hits with the code, 3 days ago and more I got hit like an every hour,
these past 2 days I got 2 hits a day to the exact same page with exact same
variables in url
On Thu, Jul 24, 2008 at 3:05 PM, Radek Valachovic
Great, yes understand, basically it runs another script against database so
it assumes that it is not part of the user_id. good thanks.
On Thu, Jul 24, 2008 at 3:05 PM, Dave Watts <[EMAIL PROTECTED]> wrote:
> > How can it be processed when USER_ID in database is
> > specified for LENGHT 15 and U
, Jul 24, 2008 at 2:21 PM, Adrian Lynch <[EMAIL PROTECTED]>
> wrote:
>
>> Whatever the length of the column in your DB.
>>
>> Adrian
>>
>> -Original Message-
>> From: Radek Valachovic [mailto:[EMAIL PROTECTED]
>> Sent: 24 July 2008 19:19
&
>I was just looking into that myself.
>
>http://qpscanner.riaforge.org/
>
>
>
I plan on running this against the code of my sites just to be sure.
If I do find any vunerabilities, is there something I can run against the
database to see if it has been infected?
Thanks.
> How can it be processed when USER_ID in database is
> specified for LENGHT 15 and USER_ID with Hacker code has
> lenght like 100?
For the purpose of preventing SQL injection, the length of the field in your
prepared statement doesn't matter. It is enough for it to be a prepared
statement, whi
length of the column in your DB.
>>
>> Adrian
>>
>> -Original Message-
>> From: Radek Valachovic [mailto:[EMAIL PROTECTED]
>> Sent: 24 July 2008 19:19
>> To: CF-Talk
>> Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
>&g
Dave Phillips wrote:
> (Claude) >> It may be a silly question, but why a SELECT * will brake
> because an unused column was dropped?
>
> To clarify, it is a SELECT * query with a CFQUERYPARAM in it. Because the
> first time the query is executed, an execution plan is built and cached.
> That execu
the column in your DB.
>
> Adrian
>
> -Original Message-
> From: Radek Valachovic [mailto:[EMAIL PROTECTED]
> Sent: 24 July 2008 19:19
> To: CF-Talk
> Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
>
>
> What would you suggest for thi
al Message -
From: "Charlie Griefer" <[EMAIL PROTECTED]>
To: "CF-Talk"
Sent: Thursday, July 24, 2008 12:59 PM
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
> On Thu, Jul 24, 2008 at 10:48 AM, Radek Valachovic <[EMAIL PROTECTED]>
> wr
> > If you don't really care
>
> I don't really care measuring the difference it makes,
> because it must certainly be marginal, and it is not because
> I don't care the difference it can made that I cannot make a
> comment about it.
If you want to be a contrarian for the sake of being a contr
:19 PM
To: CF-Talk
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
What would you suggest for this kind of thing:
Select USERID
from users
where email = '#trim(arguments.email)#' and password =
'#trim(arguments.password)#'
Something like this?
Select USE
(Brad) >>This is starting to sound like a bad multiple choice question from
a college
final... :)
Escpecially our college, Brad. ;-)
(Claude) >> It may be a silly question, but why a SELECT * will brake
because an unused column was dropped?
To clarify, it is a SELECT * query with a CFQUERYPARA
~Brad
- Original Message -
From: "Radek Valachovic" <[EMAIL PROTECTED]>
To: "CF-Talk"
Sent: Thursday, July 24, 2008 1:26 PM
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
> So if I wont use maxlenght st
Charlie Griefer wrote:
> Not using SELECT * is more of a "best practices" kind of thing.
>
> When you use it, you're potentially pulling more information than you need,
> which is inefficient.
It can also lead to very hard to debug errors. When "*" is used, the
list of columns can become cache
> So if I wont use maxlenght still it is gonna be secured?
Yes.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-
>
> --- Ben
>
>
> -Original Message-
> From: Radek Valachovic [mailto:[EMAIL PROTECTED]
> Sent: Thursday, July 24, 2008 2:19 PM
> To: CF-Talk
> Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
>
> What would you suggest for this kind of thing:
>
>
Attempt Leaves Me Scractching My Head...
What would you suggest for this kind of thing:
Select USERID
from users
where email = '#trim(arguments.email)#' and password =
'#trim(arguments.password)#'
Something like this?
Select USERID
from users
where email = and password =
: "Radek Valachovic" <[EMAIL PROTECTED]>
To: "CF-Talk"
Sent: Thursday, July 24, 2008 1:18 PM
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
> What would you suggest for this kind of thing:
>
> Select USERID
> from users
> where email
Whatever the length of the column in your DB.
Adrian
-Original Message-
From: Radek Valachovic [mailto:[EMAIL PROTECTED]
Sent: 24 July 2008 19:19
To: CF-Talk
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
What would you suggest for this kind of thing:
Select
This is starting to sound like a bad multiple choice question from a college
final... :)
~Brad
- Original Message -
From: "Ben Forta" <[EMAIL PROTECTED]>
To: "CF-Talk"
Sent: Thursday, July 24, 2008 1:15 PM
Subject: RE: (ot) URL Hack Attempt Leaves Me Scrac
What would you suggest for this kind of thing:
Select USERID
from users
where email = '#trim(arguments.email)#' and password =
'#trim(arguments.password)#'
Something like this?
Select USERID
from users
where email = and password =
I put Question marks to MAXLENGHT still thinking if I should
On Thu, Jul 24, 2008 at 11:20 AM, Claude Schneegans <
[EMAIL PROTECTED]> wrote:
> A very particular situation though.
Perhaps, but the following demonstrates how this kind of issue can be even
more problematic when the table is changed in such a way that no error is
thrown by the view...
CREATE
Fine, it's always a good idea to never use *
;-)
--- Ben
-Original Message-
From: Claude Schneegans [mailto:[EMAIL PROTECTED]
Sent: Thursday, July 24, 2008 2:13 PM
To: CF-Talk
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
>>it's safe to say that
>>it's safe to say that avoiding "*" is a good idea,
Now that's the kind of statement I prefer: "a good idea",
better than *always* or *never* :-)
--
___
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send an
> It may be a silly question, but why a SELECT * will brake
> because an unused column was dropped?
For the same reason that SELECT * will break if you use it in a view, run
the view, then change the underlying schema. The "*" gets dereferenced to
actual columns in the execution plan, which gets
>>If you don't really care
I don't really care measuring the difference it makes, because it must
certainly be marginal,
and it is not because I don't care the difference it can made that I cannot
make a comment about it.
--
___
REUSE CODE! Use custom tags;
S
> A very particular situation though. It will not prevent me
> from using SELECT * when I need all fields. This is more
> efficient than list all of them.
It may be more efficient for you as you type them out, but it will be less
efficient for your database, which has to figure out what "*" repr
On Thu, Jul 24, 2008 at 10:48 AM, Radek Valachovic <[EMAIL PROTECTED]>
wrote:
> Yeah I was reading in the forum this one, that using SELECT * is not good,
> can u explain why on short example? What is Pro and Cons what other type of
> security it gonna give me? Thanks
>
Not using SELECT * is more
> Ok, this is another example where CFQP is useful, as the doc says.
> But if the query is not likely to be executed often, which is
> the case with small sites, generating the execution plan
> might represent an overhead on the contrary.
> (just assuming, I have not run tests, and I don't really
>>When your database executes a SQL statement, it generates an
execution plan
that best fits that statement and it caches that plan in memory for later
use.
Ok, this is another example where CFQP is useful, as the doc says.
But if the query is not likely to be executed often, which is the case
2008 12:37 PM
To: CF-Talk
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...
Using CFQUERYPARAM will secure your DB calls. That doesn't mean you don't
have other problems. But it does mean that executing arbitrary code against
the DB using user inputs (form, url, cookie) i
l Message -
> From: "Radek Valachovic" <[EMAIL PROTECTED]>
> To: "CF-Talk"
> Sent: Thursday, July 24, 2008 12:12 PM
> Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
>
>
> > D
That's fair enough from a security stand point, but I still use cfqueryparam
with MS SQL for performance reason.
When your database executes a SQL statement, it generates an execution plan
that best fits that statement and it caches that plan in memory for later
use (so it doesn't have to be ge
xt 105
www.cfwebtools.com
www.coldfusionmuse.com
www.necfug.com
-Original Message-
From: Radek Valachovic [mailto:[EMAIL PROTECTED]
Sent: Thursday, July 24, 2008 12:12 PM
To: CF-Talk
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
Do you think when I am using cfqueryparams for examp
From: "Radek Valachovic" <[EMAIL PROTECTED]>
To: "CF-Talk"
Sent: Thursday, July 24, 2008 12:12 PM
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
> Do you think when I am using cfqueryparams for example w
Do you think when I am using cfqueryparams for example with numbers like
this is secured?:
SELECT * FROM product WHERE productoid=
Another example I am thinking worse is with text, I made it like this:
SELECT * FROM item WHERE L3=
I added maxlength to as more security, with PRODUCTOID it is alw
>>Not if you use MySQL. That DBMS allows for an alternative way to escape
those with a backslash.
Ok, then lets say that CFQP should alway be used with MySQl...
>>.. and you haven't turned off MySQL's default ways of escaping those
ticks
... IF you have not turn off MySQL's default ways of e
AIL PROTECTED]>
To: "CF-Talk"
Sent: Thursday, July 24, 2008 11:32 AM
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
> >>Closing the apostrophe is exactly how SQL injection occurs with text
> field
>
> Ok, you got it!
> BUT CFQUERY will escape
>>Closing the apostrophe is exactly how SQL injection occurs with text
field
Ok, you got it!
BUT CFQUERY will escape that apostophe anyway, so that the SQL injection
will
just be part of the string stored in the field either you use CFQP or not.
--
___
REUS
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
> >>ANY string passed into cfqueryparam cannot be executed as SQL:
>
> Is it really possible to get an SQL statement executed from a string for
> a text field
> with
>>Jeez, and value="URL.TryToHackThis" should be value="#URL.TryToHackThis#"
so you see that CFQP is not that easy to use ;-))
--
___
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this a
>>ANY string passed into cfqueryparam cannot be executed as SQL:
Is it really possible to get an SQL statement executed from a string for
a text field
without closing the string first with an apostrophe?
--
___
REUSE CODE! Use custom tags;
See http://www.con
Jeez, and value="URL.TryToHackThis" should be value="#URL.TryToHackThis#"
That's what I get for answering at midnight.
On Thu, Jul 24, 2008 at 11:57 PM, James Holmes <[EMAIL PROTECTED]> wrote:
> Obviously cfsqltype="varchar" should be cfsqltype="cf_sql_varchar" (my typo).
>
> On Thu, Jul 24, 2008
Obviously cfsqltype="varchar" should be cfsqltype="cf_sql_varchar" (my typo).
On Thu, Jul 24, 2008 at 11:55 PM, James Holmes <[EMAIL PROTECTED]> wrote:
> I'll say it again.
>
> ANY string passed into cfqueryparam cannot be executed as SQL:
>
> select somecolumn
> from sometable
> where someotherco
I'll say it again.
ANY string passed into cfqueryparam cannot be executed as SQL:
select somecolumn
from sometable
where someothercolumn =
It is irrelevant what gets passed in the URL.TryToHackThis; it cannot
be executed as a SQL statement. It's bound to the query as a
parameter.
On Thu, Jul 2
>>So you know that it *always* prevents SQL injection in a standard
query (select, update or delete).
Really? Can you give an example of injection that will be prevented?
--
___
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tags
1 - 100 of 229 matches
Mail list logo