CAR file deployment Issue

2008-08-20 Thread vishnu prasad
Hi 
We are planning to migrate from Coldfusion Mx 6.1  to Coldfusion 8 

While we deploying the CAR file created from MX 6.1 into Coldfusion , None of 
the SQL datasource is working . Log file containts the below erorr message 

Error occurred while updating datasources:tedy
Error,jrpp-10,08/20/08,13:49:36,,An error occurred while trying to 
encrypt or decrypt your input string: com.rsa.jsafe.crypto.dr: Could not 
perform unpadding: invalid pad byte.. 

After adding this in JVM config below error occurs 
-Dcoldfusion.disablejsafe=true
Complete JVM Args
java.args=-server -Xmx512m -Dsun.io.useCanonCaches=false -XX:MaxPermSize=192m 
-XX:+UseParallelGC -Dcoldfusion.rootDir={application.home}/../  
-Dcoldfusion.classPath={application.home}/../lib/updates,{application.home}/../lib,{application.home}/../gateway/lib/,{application.home}/../wwwroot/WEB-INF/flex/jars,{application.home}/../wwwroot/WEB-INF/cfform/jars
 -Dcoldfusion.libPath={application.home}/../lib -Dcoldfusion.disablejsafe=true
An error occurred while trying to encrypt or decrypt your input string: Given 
final block not properly padded. 



~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311299
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4


Anyone going to BFlex / BFusion and wants to share a ride?

2008-08-20 Thread Andy Matthews
There's a FREE 2 day ColdFusion / Flex conference coming up in two weeks 
(September 6th  7th) in Bloomington, Indiana (close to Indy):

http://bflex.info/

I'm going, but wanted to find out if if there's anyone in the Nashville, TN 
area that was interested in going so that we can share gas money going up. It's 
about a 4-5 hour drive and I'm planning on leaving a little early on Friday to 
get up there for some hang time before it starts.

So I guess anyone in Memphis, Knoxville, Chattanooga, Birmingham, etc. 

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311300
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4


Re: CFDocument Header Not Responding to Font-Size

2008-08-20 Thread andrew lorien
I know this was months ago, but I've just had the same problem and the correct 
answer was google hit number 41...

in CF8 (but not CF7) the header and footer are forced within margintop and 
marginbottom.  so no matter how big you make your text and images, if you leave 
the default margins they'll be tiny.  try:

cfdocument format=PDF pagetype=A4 margintop=5 marginbottom=2.5 
unit=cm


Hey Everyone - 
Just wondering if other people can duplicate this:

If I put this in my CFDocument:
div style=font-family:Arial,sans-serif;font-weight:bold;font-size:36px;I
am in the Body/div

The text fonts, weights, and sizes correctly.

If I put this in my CFDocumentitem type=header (inside my CFDocument):
div style=font-family:Arial,sans-serif;font-weight:bold;font-size:36px;I
am in the Header/div

The text fonts and weights, but does not size (size is default size).

If this can be duplicated, is this a bug, is this something I can work
around (and if yes, what would be the process to work around this problem?).

Thanks -
Stephen 

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311301
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4


Increasing Max Memory

2008-08-20 Thread Steve Moore
I'm trying to increase the allowed memory for CF to accommodate large file 
uploads. I've experimented with various settings, but can't seem to correlate 
them with the file size I'm trying. Currently trying to upload a 300Mb file. 
Have the following settings in the Java and JVM window: Maximum JVM Heap Size 
(MB): 1024; JVM Arguments: -XX:MaxPermSize=384m.

Upload attempt results in the error: 
coldfusion.util.MemorySemaphore$MemoryUnavailableException: Memory required 
(300616607 bytes) exceeds the maximum allowed memory.

Are there other settings, or changes to the above, that will allow me to 
perform this upload?

Steve Moore
Larimer County Colorado 

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311302
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4


Re: Increasing Max Memory

2008-08-20 Thread Kelly
In CFAdmin if you go to Settings and scroll down to Request Size Limits, 
what are your settings there?
I believe the Maximum Size of Post Data would need to be at least 300Mb.
Kelly


Steve Moore wrote:
 I'm trying to increase the allowed memory for CF to accommodate large file 
 uploads. I've experimented with various settings, but can't seem to correlate 
 them with the file size I'm trying. Currently trying to upload a 300Mb file. 
 Have the following settings in the Java and JVM window: Maximum JVM Heap Size 
 (MB): 1024; JVM Arguments: -XX:MaxPermSize=384m.

 Upload attempt results in the error: 
 coldfusion.util.MemorySemaphore$MemoryUnavailableException: Memory required 
 (300616607 bytes) exceeds the maximum allowed memory.

 Are there other settings, or changes to the above, that will allow me to 
 perform this upload?

 Steve Moore
 Larimer County Colorado 

 

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311303
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4


RE: Increasing Max Memory

2008-08-20 Thread Dave Watts
 I'm trying to increase the allowed memory for CF to 
 accommodate large file uploads. I've experimented with 
 various settings, but can't seem to correlate them with the 
 file size I'm trying. Currently trying to upload a 300Mb 
 file. Have the following settings in the Java and JVM window: 
 Maximum JVM Heap Size (MB): 1024; JVM Arguments: -XX:MaxPermSize=384m.
 
 Upload attempt results in the error: 
 coldfusion.util.MemorySemaphore$MemoryUnavailableException: 
 Memory required (300616607 bytes) exceeds the maximum allowed memory.
 
 Are there other settings, or changes to the above, that will 
 allow me to perform this upload?

The maximum memory you can allocate on a 32-bit Windows OS is less than 1.5
GB. You should be able to upload the file with 1 GB allocated, but you will
need to change the maximum file upload size if you're using CF 8 (I don't
remember if that option is in 7, off the top of my head).

Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/

Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311304
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4


Re: Increasing Max Memory

2008-08-20 Thread Brad Wood
Yeah, the setting was part of 7.

Steve, to clarify, log into your ColdFusion Administrator for that server. 
Click on the Settings menu under Server Settings
There should be two settings in there that might affect you:

Near the top of the page there is a setting called Maximum size of post 
data  Change the number in the text input to be as large or larger than 
what you are trying to upload.
Also, check out the Request Throttle Memory setting at the bottom of the 
page.

~Brad

- Original Message - 
From: Dave Watts [EMAIL PROTECTED]
To: CF-Talk cf-talk@houseoffusion.com
Sent: Wednesday, August 20, 2008 11:38 AM
Subject: RE: Increasing Max Memory 


~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311305
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4


Re: SQL injection attack on House of Fusion

2008-08-20 Thread David Moore
I am still getting around 50 to 75 attacks a day on about 20 of my websites. I 
applied the solution from JOCHEM that aborts the attach in the application.cfm 
file and then sends me an email. 

They just keep coming from different IP addresses so it is useless to do 
anything other than wait for the storm to pass and watch them eat up bandwidth.

In the words of one of my all time favoritesAUGH! (that would be Charlie 
Brown for all you young ones)

David G. Moore, Jr.
UpstateWeb, LLC 

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311306
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4


Query Too Complex for Access?

2008-08-20 Thread David Moore
I know I am setting myself up for another Query too complex issue, so before 
I start I thought I would ask for suggestions. I run into this when I have to 
reference two different Access databases that are Client imposed (don't ask). 
Basically, I have to use one for active data and one to show available date 
(minus the active data). This is, of coures, where the problem comes in. The 
queries will help:

cfquery name=getActiveWorks datasource=#DSN#
SELECT * 
FROM Works 
WHERE Works.PageReference = #FORM.ThisPage#
AND Works.TypeReference = '#FORM.ThisType#'
/cfquery

cfquery name=getWorks datasource=#DSN2#
SELECT *
FROM Works, Artists 
WHERE Artists.ArtistNumber = Works.ArtistNumber
AND Works.Type = '#FORM.ThisType#'
cfloop query=getActiveWorks
AND Works.ThisInventory  '#getActiveWorks.ThisReference#'
/cfloop/cfif
ORDER BY Works.Title Asc
/cfquery

Where the cfloop is is where the problem is going to come into play when the 
Active Works get to a certain level and the Query becomes Too Complex. What 
is the Best way to handle this? 

I am using CF8, Windows Server 2003, and MS Access w/Unicode ODBC Connector. 

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311307
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4


cfgrid and cfform enctype=multipart/form-data

2008-08-20 Thread David Byers
Greetings!

I'm having a problem with cfgrid and I need some assistance.  Whenever I
try to submit an HTML format grid with the enctype=multipart/form-data
attribute applied to the cfform tag, I receive The submitted cfgrid
form field is corrupt (name: __CFGRID__MYTEST__MYGRID value:
,__CFGRID__COLUMN__=DESCRIPTION; __CFGRID__DATA__=my Test 1) as an
error.

Traditionally, I would look for semicolons in the grid data.  This time,
it appears as though the myGrid field is being passed twice to the
action page.  If I remove the enctype attribute, the form works and
submits the grid data just fine.

Has anyone else experienced this and/or have a workaround?



!--- BEGIN CODE SAMPLE - FILE t1.cfm ---
cfscript
variables.myQuery =
queryNew(ID,Description,integer,varchar);

queryAddRow(variables.myQuery,1);
querySetCell(variables.myQuery,ID,1);
querySetCell(variables.myQuery,Description,my Test 1);

queryAddRow(variables.myQuery,1);
querySetCell(variables.myQuery,ID,2);
querySetCell(variables.myQuery,Description,my Test 2);
/cfscript

cfform name=myTest format=html action=t2.cfm method=post
enctype=multipart/form-data
cfgrid 
name=myGrid
format=html
selectmode=row
pagesize=20
autowidth=true
preservepageonsort=true
selectonload=false
striperows=yes
query=variables.myQuery
width=360

cfgridcolumn name=Description
/cfgrid

cfinput type=submit name=btn_submit value=Go
/cfform
!--- END CODE SAMPLE ---

!--- BEGIN CODE SAMPLE - FILE t2.cfm ---
cfdump var=#form#
!--- END CODE SAMPLE ---



TIA... I sincerely appreciate any input you have.


David Byers 
Applications Developer - Internet

Shift4 Corporation
1491 Center Crossing Road
Las Vegas, NV  89144-7047

702.597.2480
fax 702.597.2499
www.shift4.com
[EMAIL PROTECTED]
 
 
Shift4 Corporation Copyright and Confidentiality Statement

The information contained in this electronic mail message may be proprietary 
to, confidential to, privileged information of, and/or the copyright of the 
Shift4 Corporation. It may be controlled in part or in full by contracted 
relationship and/or non-disclosure documentation. It is intended solely for the 
addressee(s). ACCESS BY ANY OTHER PARTY IS UNAUTHORIZED AND STRICTLY FORBIDDEN. 
The sender does not waive any related rights and obligations. If this message 
(or any attachments contained therein) has been sent to your organization in 
error, or have been otherwise intercepted, please do not review, distribute, or 
copy contents. Please reply to the sender that A MESSAGE WAS RECEIVED IN 
ERROR and then please delete the message including all related attachments 
from all (where applicable) email transfer agents, message stores, email 
gateways, email scanning systems, and/or logging systems.


~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311308
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4


RE: Query Too Complex for Access?

2008-08-20 Thread Dave Phillips
Have you tried:

  AND Works.ThisInventory not in
(#listQualify(valueList(getActiveWorks.ThisReference),')#)

??

Dave
-Original Message-
From: David Moore [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, August 20, 2008 1:18 PM
To: CF-Talk
Subject: Query Too Complex for Access?

I know I am setting myself up for another Query too complex issue, so
before I start I thought I would ask for suggestions. I run into this when I
have to reference two different Access databases that are Client imposed
(don't ask). Basically, I have to use one for active data and one to show
available date (minus the active data). This is, of coures, where the
problem comes in. The queries will help:

cfquery name=getActiveWorks datasource=#DSN#
SELECT * 
FROM Works 
WHERE Works.PageReference = #FORM.ThisPage#
AND Works.TypeReference = '#FORM.ThisType#'
/cfquery

cfquery name=getWorks datasource=#DSN2#
SELECT *
FROM Works, Artists 
WHERE Artists.ArtistNumber = Works.ArtistNumber
AND Works.Type = '#FORM.ThisType#'
cfloop query=getActiveWorks
AND Works.ThisInventory  '#getActiveWorks.ThisReference#'
/cfloop/cfif
ORDER BY Works.Title Asc
/cfquery

Where the cfloop is is where the problem is going to come into play when the
Active Works get to a certain level and the Query becomes Too Complex.
What is the Best way to handle this? 

I am using CF8, Windows Server 2003, and MS Access w/Unicode ODBC Connector.



~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311309
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4


RE: Query Too Complex for Access?

2008-08-20 Thread David Moore, Jr.
No I haven't.  
 
What you are saying is that I should use valueList to build a full list from 
all values in the getActiveWorks query and then listQualify to see if any 
variable matches.
 
Thanks David! I will give it a shot. 
 
Does anyone else know of any other ways?
 
David G. Moore, Jr.
UpstateWeb. LLC Subject: RE: Query Too Complex for Access? From: [EMAIL 
PROTECTED] To: cf-talk@houseoffusion.com Date: Wed, 20 Aug 2008 13:27:34 
-0500  Have you tried:  AND Works.ThisInventory not in 
(#listQualify(valueList(getActiveWorks.ThisReference),')#)  ??  Dave 
-Original Message- From: David Moore [mailto:[EMAIL PROTECTED]  Sent: 
Wednesday, August 20, 2008 1:18 PM To: CF-Talk Subject: Query Too Complex for 
Access?  I know I am setting myself up for another Query too complex issue, 
so before I start I thought I would ask for suggestions. I run into this when 
I have to reference two different Access databases that are Client imposed 
(don't ask). Basically, I have to use one for active data and one to show 
available date (minus the active data). This is, of coures, where the problem 
comes in. The queries will help:  cfquery name=getActiveWorks 
datasource=#DSN# SELECT *  FROM Works  WHERE Works.PageReference = 
#FORM.ThisPage# AND Works.TypeReference = '#FORM.ThisType#' /cfquery  
cfquery name=getWorks datasource=#DSN2# SELECT * FROM Works, Artists  
WHERE Artists.ArtistNumber = Works.ArtistNumber AND Works.Type = 
'#FORM.ThisType#' cfloop query=getActiveWorks AND Works.ThisInventory  
'#getActiveWorks.ThisReference#' /cfloop/cfif ORDER BY Works.Title Asc 
/cfquery  Where the cfloop is is where the problem is going to come into 
play when the Active Works get to a certain level and the Query becomes Too 
Complex. What is the Best way to handle this?   I am using CF8, Windows 
Server 2003, and MS Access w/Unicode ODBC Connector.

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311310
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4


Re: SQL injection attack on House of Fusion

2008-08-20 Thread Mary Jo Sminkey
 I also had a concern about thread safety; it's caching the java.util.
 regex.Matcher object in Application scope, and calling Application.
 injChecker.reset(testvar) for each url/form/etc variable -- seems like 
 Matcher.reset() changes state of the cached Matcher object? 

Thanks for pointing this out...I updated the tool on my site to address this 
and also switched it to use a different RegEx that seems to work better and 
throw less false positives. Same link to download as before:

http://www.cfwebstore.com/index.cfm?fuseaction=page.downloaddownloadID=18

--- Mary Jo







~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311311
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4


RE: Query Too Complex for Access?

2008-08-20 Thread Dave Phillips
Acutally, the first part is correct.  The listQualify() function actually
just places 'single quotes' around each of the values in your valuelist
since that would be required by the DB.

List qualify doesn't check any variables.

I noticed you had a stray /cfif tag.  Were you missing a cfif condition
as you only wanted to compare against 'some' of the records in
getActiveWorks?  If so, send your CFIF statement as we'll have to modify
what I sent you earlier.

Dave

-Original Message-
From: David Moore, Jr. [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, August 20, 2008 1:37 PM
To: CF-Talk
Subject: RE: Query Too Complex for Access?

No I haven't.  
 
What you are saying is that I should use valueList to build a full list from
all values in the getActiveWorks query and then listQualify to see if any
variable matches.
 
Thanks David! I will give it a shot. 
 
Does anyone else know of any other ways?
 
David G. Moore, Jr.
UpstateWeb. LLC Subject: RE: Query Too Complex for Access? From:
[EMAIL PROTECTED] To: cf-talk@houseoffusion.com Date: Wed,
20 Aug 2008 13:27:34 -0500  Have you tried:  AND Works.ThisInventory not
in (#listQualify(valueList(getActiveWorks.ThisReference),')#)  ?? 
Dave -Original Message- From: David Moore
[mailto:[EMAIL PROTECTED]  Sent: Wednesday, August 20, 2008 1:18 PM
To: CF-Talk Subject: Query Too Complex for Access?  I know I am setting
myself up for another Query too complex issue, so before I start I
thought I would ask for suggestions. I run into this when I have to
reference two different Access databases that are Client imposed (don't
ask). Basically, I have to use one for active data and one to show
available date (minus the active data). This is, of coures, where the
problem comes in. The queries will help:  cfquery name=getActiveWorks
datasource=#DSN# SELECT *  FROM Works  WHERE Works.PageReference =
#FORM.ThisPage# AND Works.TypeReference = '#FORM.ThisType#' /cfquery 
cfquery name=getWorks datasource=#DSN2# SELECT * FROM Works, Artists
 WHERE Artists.ArtistNumber = Works.ArtistNumber AND Works.Type =
'#FORM.ThisType#' cfloop query=getActiveWorks AND Works.ThisInventory
 '#getActiveWorks.ThisReference#' /cfloop/cfif ORDER BY Works.Title
Asc /cfquery  Where the cfloop is is where the problem is going to come
into play when the Active Works get to a certain level and the Query
becomes Too Complex. What is the Best way to handle this?   I am using
CF8, Windows Server 2003, and MS Access w/Unicode ODBC Connector.



~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311312
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4


RE: SQL injection attack on House of Fusion

2008-08-20 Thread David Moore, Jr.
I am currently using the SQLprev.cfm from Jochem to stop the onslaught of 
superfluous bandwidth suckage from my server, but was wondering what the 
difference would be with this one. I am not looking to start a my SQL 
Injection blocker is better than yours, yet trying to educate myself on just 
what is going on and what is best to do. 
 
Does this thing just raise it's ugly head every now and then and go away for a 
while? This is the first I have seen of it on my server.
 
Thanks in advance,
 
~David G. Moore, Jr.
   UpstateWeb, LLC Subject: Re: SQL injection attack on House of Fusion From: 
[EMAIL PROTECTED] To: cf-talk@houseoffusion.com Date: Wed, 20 Aug 2008 
14:36:46 -0400   I also had a concern about thread safety; it's caching the 
java.util.  regex.Matcher object in Application scope, and calling 
Application.  injChecker.reset(testvar) for each url/form/etc variable -- 
seems like   Matcher.reset() changes state of the cached Matcher object?   
Thanks for pointing this out...I updated the tool on my site to address this 
and also switched it to use a different RegEx that seems to work better and 
throw less false positives. Same link to download as before:  
http://www.cfwebstore.com/index.cfm?fuseaction=page.downloaddownloadID=18  
--- Mary Jo

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311313
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4


Re: SQL injection attack on House of Fusion

2008-08-20 Thread Mary Jo Sminkey
 I am currently using the SQLprev.cfm from Jochem to stop the onslaught 
 of superfluous bandwidth suckage from my server, but was wondering 
 what the difference would be with this one.


Since I am not familiar with his, I cannot say what the difference would be. I 
did include URL, form, cookie and common CGI variables into mine as well so 
it's pretty comprehensive for both this attack and others that might start 
looking for other vulnerable areas. It uses Gabriel's method of leveraging the 
java regex pattern matcher which seems to give better performance and less 
likely to hang on large strings than with CF. Luis Melo who contributed the 
RegEx that I am now using has his own SQLi blocker as well that includes a 
bunch of additional functions (such as keeping a list of blacklisted IP 
addresses in application memory) which some people may like as well. My goal 
was to just try and put something together that could easily be dropped in any 
application and do its thing with fairly minimal overhead. 


 Does this thing just raise it's ugly head every now and then and go 
 away for a while? This is the first I have seen of it on my server.

This particular attack? It does seem to come and go. I have no doubt the 
hackers will look for other avenues to exploit once it seems that this one is 
no longer having much effect. 





~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311314
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4


RE: Query Too Complex for Access?

2008-08-20 Thread David Moore, Jr.
I noticed that after I hit the 'send' button. I had a cfif to check if there 
were actual records before running the statement. I didn't think I needed to 
show all that, so I took it out, but left the stray end code. 
 
The code works well. I haven't tested it at a lot of values though. This will 
not have the same issue once their are like 100 records in the getActiveWorks 
query. Right?
 
~David G. Moore, Jr. Subject: RE: Query Too Complex for Access? From: [EMAIL 
PROTECTED] To: cf-talk@houseoffusion.com Date: Wed, 20 Aug 2008 15:18:11 
-0500  Acutally, the first part is correct. The listQualify() function 
actually just places 'single quotes' around each of the values in your 
valuelist since that would be required by the DB.  List qualify doesn't 
check any variables.  I noticed you had a stray /cfif tag. Were you missing 
a cfif condition as you only wanted to compare against 'some' of the records 
in getActiveWorks? If so, send your CFIF statement as we'll have to modify 
what I sent you earlier.  Dave  -Original Message- From: David 
Moore, Jr. [mailto:[EMAIL PROTECTED]  Sent: Wednesday, August 20, 2008 1:37 
PM To: CF-Talk Subject: RE: Query Too Complex for Access?  No I haven't.  
 What you are saying is that I should use valueList to build a full list from 
all values in the getActiveWorks query and then listQualify to see if any 
variable matches.  Thanks David! I will give it a shot.   Does anyone else 
know of any other ways?  David G. Moore, Jr. UpstateWeb. LLC Subject: RE: 
Query Too Complex for Access? From: [EMAIL PROTECTED] To: 
cf-talk@houseoffusion.com Date: Wed, 20 Aug 2008 13:27:34 -0500  Have you 
tried:  AND Works.ThisInventory not in 
(#listQualify(valueList(getActiveWorks.ThisReference),')#)  ??  Dave 
-Original Message- From: David Moore [mailto:[EMAIL PROTECTED]  
Sent: Wednesday, August 20, 2008 1:18 PM To: CF-Talk Subject: Query Too 
Complex for Access?  I know I am setting myself up for another Query too 
complex issue, so before I start I thought I would ask for suggestions. I 
run into this when I have to reference two different Access databases that 
are Client imposed (don't ask). Basically, I have to use one for active data 
and one to show available date (minus the active data). This is, of coures, 
where the problem comes in. The queries will help:  cfquery 
name=getActiveWorks datasource=#DSN# SELECT *  FROM Works  WHERE 
Works.PageReference = #FORM.ThisPage# AND Works.TypeReference = 
'#FORM.ThisType#' /cfquery  cfquery name=getWorks 
datasource=#DSN2# SELECT * FROM Works, Artists  WHERE 
Artists.ArtistNumber = Works.ArtistNumber AND Works.Type = '#FORM.ThisType#' 
cfloop query=getActiveWorks AND Works.ThisInventory  
'#getActiveWorks.ThisReference#' /cfloop/cfif ORDER BY Works.Title Asc 
/cfquery  Where the cfloop is is where the problem is going to come into 
play when the Active Works get to a certain level and the Query becomes 
Too Complex. What is the Best way to handle this?   I am using CF8, 
Windows Server 2003, and MS Access w/Unicode ODBC Connector.

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311315
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4


RE: Flash Site Links Sanity Check

2008-08-20 Thread Jason Durham
At one point my browser hung and only revealed an Email Jim hyperlink.
This was in the address bar
http://www.mypersonalbrilliance.com/about/;.  I clicked through them 20
or so times after that without a problem.

-Original Message-
From: Mark Leder [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, August 19, 2008 11:46 AM
To: CF-Talk
Subject: Flash Site Links Sanity Check

Hi all,

 

We're having reports of links not being clickable in a site:

 

Take a look at this URL (which has been live for 3 years):  

http://www.mypersonalbrilliance.com

 

Also, look at this URL (also live for 3 years):

http://blog.mypersonalbrilliance.com

 

For both sites, click a few of the links in the black bar at top, and
the
four floating links in the lights area at top.

 

Clickable with redirection? Any problems?  

 

I've rechecked the crossdomain.xml file and inserted the eolas js fix
from
adobe (for the double click problem in IE).  I can't find any issues
(nor
recreate the problem), but my client is having intermittent problems.
We've
tried it here and remotely on several machines, using WinXP - FF2, FF3,
IE6
and IE7.

 

Thank for your help.

 

Mark






~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311316
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4


Re: SQL injection attack on House of Fusion

2008-08-20 Thread Justin Scott
 I am currently using the SQLprev.cfm from Jochem to stop the onslaught of 
 superfluous bandwidth suckage from my server, but was wondering what the 
 difference would be with this one. I am not looking to start a my SQL 
 Injection blocker is better than yours, yet trying to educate myself on just 
 what is going on and what is best to do. 

My original SQLprev script (http://www.gravityfree.com/_sqlprev.cfm.txt) 
just checks for basic SQL keywords with a semicolon in URL variables. 
It's a quick and dirty way to give you some protection from bots 
short-term while your code base is updated to use best practices and 
secure coding methods.  Mary Jo's is more thorough in that it checks 
additional variable scopes, and can help protect better against 
hand-drafted attacks, but may have a higher potential for false 
positives (though it's improved recently from what I can tell).

SQLPrev has a version compatible with CF5 for those who need it where 
the other script relies on CFMX functions to run.  I'm not saying one is 
better than the other, they both get the job done.  Just use whatever 
works best for you, and update your code so that you don't need either 
of them g.


-Justin Scott



~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311317
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4


RE: Query Too Complex for Access?

2008-08-20 Thread Dave Phillips
David,

I don't know if it will or not, you will just need to test.  I'm sure there
is some upper limit as to how many bytes you can send in a call to the DB,
but I'm also betting that's driver dependent. 

Oh, if there is a possibility that getActiveWorks might be empty, you will
want this:

cfif getActiveWorks.recordCount
   AND Works.Inventory NOT IN
(#listQualify(valueList(getActiveWorks.ThisReference),')#)
/cfif

If you don't have that condition around it, you could end up with this SQL,
which would bomb:  

AND Works.Inventory NOT IN ()

If your app is going to exceed some limit, you may need to break your query
down somehow. Hopefuly that won't be an issue though.

Hope this helps!

Dave
-Original Message-
From: David Moore, Jr. [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, August 20, 2008 3:48 PM
To: CF-Talk
Subject: RE: Query Too Complex for Access?

I noticed that after I hit the 'send' button. I had a cfif to check if
there were actual records before running the statement. I didn't think I
needed to show all that, so I took it out, but left the stray end code. 
 
The code works well. I haven't tested it at a lot of values though. This
will not have the same issue once their are like 100 records in the
getActiveWorks query. Right?
 
~David G. Moore, Jr.


~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311318
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4


Re: Flash Site Links Sanity Check

2008-08-20 Thread Kelly
Tried w/ FF3, IE7 and Safari 3.1.2 for Windows. Had no problems.

Mark Leder wrote:
 Hi all,

  

 We're having reports of links not being clickable in a site:

  

 Take a look at this URL (which has been live for 3 years):  

 http://www.mypersonalbrilliance.com

  

 Also, look at this URL (also live for 3 years):

 http://blog.mypersonalbrilliance.com

  

 For both sites, click a few of the links in the black bar at top, and the
 four floating links in the lights area at top.

  

 Clickable with redirection? Any problems?  

  

 I've rechecked the crossdomain.xml file and inserted the eolas js fix from
 adobe (for the double click problem in IE).  I can't find any issues (nor
 recreate the problem), but my client is having intermittent problems.  We've
 tried it here and remotely on several machines, using WinXP - FF2, FF3, IE6
 and IE7.

  

 Thank for your help.

  

 Mark




 

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311319
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4


RE: SQL injection attack on House of Fusion

2008-08-20 Thread David Moore, Jr.
When you say Update Your Code, are you saying using cfqueryparam? But even 
so, the SQL injection still will use up countless resources instead of cutting 
it off early. So, go back and fix 1,000's of lines of code I have developed 
over the last 'upteen' years or stop it before it starts? Is this something new 
to CF8 or just a necessary evil because of SQL Injection Attacks. 
 
Not trying to pick a fight, becuase I am sure you have forgotten more code than 
I will ever know (seriously) and I am probably just being lazy (seriously), but 
is cfqueryparam something a lot of programmers really use? I have never seen 
cfqueryparam used on any tags I have purchased or exchanged and I am afraid 
all I know is what I have learned from books and forums. This is the first I 
have ever heard of using cfqueryparam.
 
~David G. Moore, Jr. Subject: Re: SQL injection attack on House of Fusion 
From: [EMAIL PROTECTED] To: cf-talk@houseoffusion.com Date: Wed, 20 Aug 2008 
17:01:42 -0400   I am currently using the SQLprev.cfm from Jochem to stop 
the onslaught of superfluous bandwidth suckage from my server, but was 
wondering what the difference would be with this one. I am not looking to start 
a my SQL Injection blocker is better than yours, yet trying to educate myself 
on just what is going on and what is best to do.   My original SQLprev script 
(http://www.gravityfree.com/_sqlprev.cfm.txt)  just checks for basic SQL 
keywords with a semicolon in URL variables.  It's a quick and dirty way to 
give you some protection from bots  short-term while your code base is updated 
to use best practices and  secure coding methods. Mary Jo's is more thorough 
in that it checks  additional variable scopes, and can help protect better 
against  hand-drafted attacks, but may have a higher potential for false  
positives (though it's improved recently from what I can tell).  SQLPrev has 
a version compatible with CF5 for those who need it where  the other script 
relies on CFMX functions to run. I'm not saying one is  better than the other, 
they both get the job done. Just use whatever  works best for you, and update 
your code so that you don't need either  of them g.   -Justin Scott   
 

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311320
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4


Re: SQL injection attack on House of Fusion

2008-08-20 Thread Mary Jo Sminkey
 When you say Update Your Code, are you saying using cfqueryparam? 

Yes, that's what he is saying. 


 so, go back and fix 1,000's of lines 
 of code I have developed over the last 'upteen' years or stop it 
 before it starts?

Because if you don't, you are putting a LOT of faith in these blockers and 
assuming that hackers won't find other ways to attack a vulnerable application 
that doesn't get by them. Personally, I'm not sure I'd put *that* much trust in 
them, if I really cared about my sites being safe. 


 Is this something new to CF8 or just a necessary 
 evil because of SQL Injection Attacks. 

Nothing new, and certainly not unique to ColdFusion either. 


 is cfqueryparam something a lot of programmers 
 really use? 

Uh, yes. 


 This is the first I have ever heard of using cfqueryparam.

That is a truly scary thought. I hope you will spend some time on the 
ColdFusion blogs which have lots of information on the importance of using it. 


--- Mary Jo




~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311321
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4


Re: SQL injection attack on House of Fusion

2008-08-20 Thread Ian Skinner
David Moore, Jr. wrote:
 Not trying to pick a fight, becuase I am sure you have forgotten more code 
 than I will ever know (seriously) and I am probably just being lazy 
 (seriously), but is cfqueryparam something a lot of programmers really use? 
 I have never seen cfqueryparam used on any tags I have purchased or 
 exchanged and I am afraid all I know is what I have learned from books and 
 forums. This is the first I have ever heard of using cfqueryparam.

Yes cfqueryparam... is well used and for very good reasons.  One of 
which is what do you want to happen if the next clever hacker comes 
along with an attack that gets around all these solutions that have been 
developed to stop them at the gate?  Do you really want to gamble your 
data and possible career on that fact that you can out guess every 
hacker who collectively have almost endless time and resources to figure 
out ways around these solutions?

I equate it to this analogy I have been dying to use for some time.

Would you never build the city walls and gates just because you have 
sentries watching the road?  No matter how good and undefeatable you 
think your sentries are.

Or why have database passwords if you have a firewall.  (That one might 
be better)



~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311322
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4


Re: SQL injection attack on House of Fusion

2008-08-20 Thread Josh Nathanson
 Not trying to pick a fight, becuase I am sure you have forgotten more code 
 than I will ever know (seriously) and I am probably just being lazy 
 (seriously), but is cfqueryparam something a lot of programmers really 
 use? I have never seen cfqueryparam used on any tags I have purchased 
 or exchanged and I am afraid all I know is what I have learned from books 
 and forums. This is the first I have ever heard of using cfqueryparam.

It depends on what you mean by a lot.  But, if you'd been hanging out on 
this list at all, you'd have heard of cfqueryparam.  It's discussed quite 
often.  But, since most people learn ColdFusion on their own, and it's not a 
necessary tag to know about to get things done, you could go for years 
without using it or even understanding why it's needed.

-- Josh



~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311323
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4


RE: SQL injection attack on House of Fusion

2008-08-20 Thread David Moore, Jr.
And this is where I am. I have been using CF since 4.5. Very Scary. Glad I have 
found this list. I am sure to learn a lot. I will try to read and not bother.
 
Thanks for the SMACK DOWN. I will start to write it in and become more learned. 
I can say, just in the last weeks since joining I have learned a lot.
 
~David G. Moore, Jr. Subject: Re: SQL injection attack on House of Fusion 
From: [EMAIL PROTECTED] To: cf-talk@houseoffusion.com Date: Wed, 20 Aug 2008 
14:35:19 -0700   Not trying to pick a fight, becuase I am sure you have 
forgotten more code   than I will ever know (seriously) and I am probably 
just being lazy   (seriously), but is cfqueryparam something a lot of 
programmers really   use? I have never seen cfqueryparam used on any tags 
I have purchased   or exchanged and I am afraid all I know is what I have 
learned from books   and forums. This is the first I have ever heard of 
using cfqueryparam.  It depends on what you mean by a lot. But, if you'd 
been hanging out on  this list at all, you'd have heard of cfqueryparam. It's 
discussed quite  often. But, since most people learn ColdFusion on their own, 
and it's not a  necessary tag to know about to get things done, you could go 
for years  without using it or even understanding why it's needed.  -- Josh 
   

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311324
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4


Re: SQL injection attack on House of Fusion

2008-08-20 Thread Justin Scott
 When you say Update Your Code, are you saying using cfqueryparam? But 
 even so, the SQL injection still will use up countless resources instead of 
 cutting it off early. So, go back and fix 1,000's of lines of code I have 
 developed over the last 'upteen' years or stop it before it starts? Is this 
 something new to CF8 or just a necessary evil because of SQL Injection 
 Attacks. 

Essentially, yes, code should be using cfqueryparam and other secure 
coding methods to keep the baddies out.  The resources will get used 
either way, really.  You can either rely on a filter up-front and use up 
CPU cycles regardless of whether a user is legitimate or not, or even 
whether or not a query is being run in the page or not, etc.  Or, you 
can implement cfqueryparam where appropriate and only use those cycles 
where they're needed, and you'll get the added benefit of prepared 
statements on the SQL Server in most cases and the queries will run 
slightly faster as a result.  Either way you go, protect yourself and 
your clients.

SQL injection attacks have been around since before I got started in web 
development, and secure coding against them has been a best practice 
just as long.  I remember updating old CF code I inherited way back 
when I was using ColdFusion 4, so it's certainly nothing new.

It's unfortunate that you haven't seen this in practice until now, but 
it really is something you should be doing.  It's been my observation 
over the years that web programmers in general (not just limited to 
ColdFusion) tend to learn about security only when there is a breach of 
some kind, and then have to scramble to learn under fire.  Just as an 
example, how many out there run e-commerce applications and have never 
heard of PCI-DSS?

I'm not picking on you specifically, David, so please don't think I'm 
calling you out or anything.  I'm always learning new things myself, but 
we web developers need to collectively get more educated about the risks 
and threats we face and alter our practice accordingly.


-Justin Scott



~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311325
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4


Re: SQL injection attack on House of Fusion

2008-08-20 Thread Kelly
As someone who was hit by the attack on the first day. I will say I've 
used cfqueryparam for years and yet I had a handful of pages with old 
code where I was not using cfqueryparam. It just takes one page that's 
publically accessible to do damage. Once I fixed the pages in question, 
try as they might, I have not been effected since.

Using cfqueryparam is a good habit to get into, to protect your sites 
and client sites. I was also  running a forum program I purchased years 
ago CFForum2000 I think, and all the code in that product was not using 
cfqueryparam either. I had to go through and edit the code throughout. 
It's possible their newer versions are using proper coding but it was a 
bit of a pain, and really my own fault for not rechecking that code long 
ago.
Kelly

David Moore, Jr. wrote:
 When you say Update Your Code, are you saying using cfqueryparam? But 
 even so, the SQL injection still will use up countless resources instead of 
 cutting it off early. So, go back and fix 1,000's of lines of code I have 
 developed over the last 'upteen' years or stop it before it starts? Is this 
 something new to CF8 or just a necessary evil because of SQL Injection 
 Attacks. 
  
 Not trying to pick a fight, becuase I am sure you have forgotten more code 
 than I will ever know (seriously) and I am probably just being lazy 
 (seriously), but is cfqueryparam something a lot of programmers really use? 
 I have never seen cfqueryparam used on any tags I have purchased or 
 exchanged and I am afraid all I know is what I have learned from books and 
 forums. This is the first I have ever heard of using cfqueryparam.
  
 ~David G. Moore,  


~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311326
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4


RE: SQL injection attack on House of Fusion

2008-08-20 Thread Dave Watts
 Does this thing just raise it's ugly head every now and then 
 and go away for a while? This is the first I have seen of it 
 on my server.

This is the first large-scale automated SQL injection attack. Automated
attacks have been around for a long time, as have SQL injection attacks.

Honestly, this current attack is just a nuisance. SQL injection attacks are
usually more destructive, in that they often involve the theft of sensitive
data. In those cases, of course, the attack is manual rather than automated.
But if your site is vulnerable to this automated attack, it has always been
vulnerable to these manual, destructive attacks - which may have already
occurred without your knowledge.

Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/

Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311327
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4


RE: SQL injection attack on House of Fusion

2008-08-20 Thread David Moore, Jr.
Justin,
 
I certainly don't feel picked on. I feel blessed to have a place where I can 
learn from people who do know so much. And you are right. I (we) only seem to 
learn under fire. I am a one man business owner in a small town with limited 
resources and time. 10 hour days, work weekends, what is family time except 
coaching baseball-soccer-basketball, and I have forgotten what sleep even is. 
So, what do we do?
 
I am a little embarrassed to say I didn't know, but at least in honesty I can 
learn and get a complete picture. 
 
So, what is PCI-DSS (he asks sheepishly) or is that a whole nother Post
 
Thanks everyone!
 
~David G. Moore, Jr.
 
P.S. Speaking of Smack Down's. Mary Jo's got a great right cross :) Go get'em 
girl! Subject: Re: SQL injection attack on House of Fusion From: [EMAIL 
PROTECTED] To: cf-talk@houseoffusion.com Date: Wed, 20 Aug 2008 17:41:12 
-0400   When you say Update Your Code, are you saying using 
cfqueryparam? But even so, the SQL injection still will use up countless 
resources instead of cutting it off early. So, go back and fix 1,000's of lines 
of code I have developed over the last 'upteen' years or stop it before it 
starts? Is this something new to CF8 or just a necessary evil because of SQL 
Injection Attacks.   Essentially, yes, code should be using cfqueryparam and 
other secure  coding methods to keep the baddies out. The resources will get 
used  either way, really. You can either rely on a filter up-front and use up 
 CPU cycles regardless of whether a user is legitimate or not, or even  
whether or not a query is being run in the page or not, etc. Or, you  can 
implement cfqueryparam where appropriate and only use those cycles  where 
they're needed, and you'll get the added benefit of prepared  statements on 
the SQL Server in most cases and the queries will run  slightly faster as a 
result. Either way you go, protect yourself and  your clients.  SQL 
injection attacks have been around since before I got started in web  
development, and secure coding against them has been a best practice  just as 
long. I remember updating old CF code I inherited way back  when I was using 
ColdFusion 4, so it's certainly nothing new.  It's unfortunate that you 
haven't seen this in practice until now, but  it really is something you 
should be doing. It's been my observation  over the years that web programmers 
in general (not just limited to  ColdFusion) tend to learn about security only 
when there is a breach of  some kind, and then have to scramble to learn under 
fire. Just as an  example, how many out there run e-commerce applications and 
have never  heard of PCI-DSS?  I'm not picking on you specifically, David, 
so please don't think I'm  calling you out or anything. I'm always learning 
new things myself, but  we web developers need to collectively get more 
educated about the risks  and threats we face and alter our practice 
accordingly.   -Justin Scott

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311328
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4


Re: SQL injection attack on House of Fusion

2008-08-20 Thread Eric Cobb
 is cfqueryparam something a lot of programmers really use?


Only the good ones.  ;)


Thanks,

Eric

David Moore, Jr. wrote:
 When you say Update Your Code, are you saying using cfqueryparam? But 
 even so, the SQL injection still will use up countless resources instead of 
 cutting it off early. So, go back and fix 1,000's of lines of code I have 
 developed over the last 'upteen' years or stop it before it starts? Is this 
 something new to CF8 or just a necessary evil because of SQL Injection 
 Attacks. 
  
 Not trying to pick a fight, becuase I am sure you have forgotten more code 
 than I will ever know (seriously) and I am probably just being lazy 
 (seriously), but is cfqueryparam something a lot of programmers really use? 
 I have never seen cfqueryparam used on any tags I have purchased or 
 exchanged and I am afraid all I know is what I have learned from books and 
 forums. This is the first I have ever heard of using cfqueryparam.
  
 ~David G. Moore, Jr. Subject: Re: SQL injection attack on House of Fusion 
 From: [EMAIL PROTECTED] To: cf-talk@houseoffusion.com Date: Wed, 20 Aug 
 2008 17:01:42 -0400   I am currently using the SQLprev.cfm from Jochem to 
 stop the onslaught of superfluous bandwidth suckage from my server, but was 
 wondering what the difference would be with this one. I am not looking to 
 start a my SQL Injection blocker is better than yours, yet trying to 
 educate myself on just what is going on and what is best to do.   My 
 original SQLprev script (http://www.gravityfree.com/_sqlprev.cfm.txt)  just 
 checks for basic SQL keywords with a semicolon in URL variables.  It's a 
 quick and dirty way to give you some protection from bots  short-term while 
 your code base is updated to use best practices and  secure coding methods. 
 Mary Jo's is more thorough in that it checks  additional variable scopes, 
 and can help protect better against  hand-drafted attacks, but may have a 
 higher p
otential for false  positives (though it's improved recently from what I can 
tell).  SQLPrev has a version compatible with CF5 for those who need it where 
 the other script relies on CFMX functions to run. I'm not saying one is  
better than the other, they both get the job done. Just use whatever  works 
best for you, and update your code so that you don't need either  of them 
g.   -Justin Scott
 
 

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311329
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4


RE: SQL injection attack on House of Fusion

2008-08-20 Thread Mark Kruger
Right on Dave... That's a point I've been making as well.  

It is the SQL injection attacks that don't obviously do anything that are
more insidious. For those of you who have found your sites vulnerable, this
attack is not the one that should be keeping you up at night. Instead, it
should be those attacks that came in and left with your data without
arousing any alarm at all :)

-Mark


Mark A. Kruger, CFG, MCSE
(402) 408-3733 ext 105
www.cfwebtools.com
www.coldfusionmuse.com
www.necfug.com

-Original Message-
From: Dave Watts [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, August 20, 2008 4:59 PM
To: CF-Talk
Subject: RE: SQL injection attack on House of Fusion

 Does this thing just raise it's ugly head every now and then and go 
 away for a while? This is the first I have seen of it on my server.

This is the first large-scale automated SQL injection attack. Automated
attacks have been around for a long time, as have SQL injection attacks.

Honestly, this current attack is just a nuisance. SQL injection attacks are
usually more destructive, in that they often involve the theft of sensitive
data. In those cases, of course, the attack is manual rather than automated.
But if your site is vulnerable to this automated attack, it has always been
vulnerable to these manual, destructive attacks - which may have already
occurred without your knowledge.

Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/

Fig Leaf Software provides the highest caliber vendor-authorized instruction
at our training centers in Washington DC, Atlanta, Chicago, Baltimore,
Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!



~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311330
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4


RE: SQL injection attack on House of Fusion

2008-08-20 Thread Mark Kruger
Eric, 

A good answer might be  it is now  :)


-Original Message-
From: Eric Cobb [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, August 20, 2008 4:59 PM
To: CF-Talk
Subject: Re: SQL injection attack on House of Fusion

 is cfqueryparam something a lot of programmers really use?


Only the good ones.  ;)


Thanks,

Eric

David Moore, Jr. wrote:
 When you say Update Your Code, are you saying using cfqueryparam? But
even so, the SQL injection still will use up countless resources instead of
cutting it off early. So, go back and fix 1,000's of lines of code I have
developed over the last 'upteen' years or stop it before it starts? Is this
something new to CF8 or just a necessary evil because of SQL Injection
Attacks. 
  
 Not trying to pick a fight, becuase I am sure you have forgotten more code
than I will ever know (seriously) and I am probably just being lazy
(seriously), but is cfqueryparam something a lot of programmers really
use? I have never seen cfqueryparam used on any tags I have purchased or
exchanged and I am afraid all I know is what I have learned from books and
forums. This is the first I have ever heard of using cfqueryparam.
  
 ~David G. Moore, Jr. Subject: Re: SQL injection attack on House of 
 Fusion From: [EMAIL PROTECTED] To: cf-talk@houseoffusion.com 
 Date: Wed, 20 Aug 2008 17:01:42 -0400   I am currently using the 
 SQLprev.cfm from Jochem to stop the onslaught of superfluous bandwidth 
 suckage from my server, but was wondering what the difference would be 
 with this one. I am not looking to start a my SQL Injection blocker 
 is better than yours, yet trying to educate myself on just what is 
 going on and what is best to do.   My original SQLprev script 
 (http://www.gravityfree.com/_sqlprev.cfm.txt)  just checks for basic 
 SQL keywords with a semicolon in URL variables.  It's a quick and 
 dirty way to give you some protection from bots  short-term while 
 your code base is updated to use best practices and  secure coding 
 methods. Mary Jo's is more thorough in that it checks  additional 
 variable scopes, and can help protect better against  hand-drafted 
 attacks, but may have a higher p
otential for false  positives (though it's improved recently from what I
can tell).  SQLPrev has a version compatible with CF5 for those who need
it where  the other script relies on CFMX functions to run. I'm not saying
one is  better than the other, they both get the job done. Just use
whatever  works best for you, and update your code so that you don't need
either  of them g.   -Justin Scott
 
 



~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311331
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4


RE: SQL injection attack on House of Fusion

2008-08-20 Thread David Moore, Jr.
The only way I found the SQL Injection Attack was my server kept crawling to a 
dead hault. I looked in SeeFusion (some softwear I purchased that lets me see 
what is going on live with the websites) and I noticed that the sites Total 
Time just kept going up and never resolving, basically every website coming to 
a hault and bringing my server to a scretching hault. I would reboot CF to get 
it to unlock. After a scan of Cold Fusion logfiles application.cfm file, I saw 
this weird URL string and thus my search landed me here.
 
Whether or not that is what was or is bringing my server to a hault, I don't 
know - but I can only hope. I am pretty sure it has something to do with the 
(don't everyone scream all at once) 45 access databases I am using to run the 
individual websites off of or not, but just maybe.
 
~ David G. Moore, Jr.
 
P.S. Can't wait to see everyone's response to this one? I am pretty sure I am 
about to get another SMACK DOWN... Subject: RE: SQL injection attack on House 
of Fusion From: [EMAIL PROTECTED] To: cf-talk@houseoffusion.com Date: Wed, 
20 Aug 2008 17:59:23 -0400   Does this thing just raise it's ugly head every 
now and then   and go away for a while? This is the first I have seen of it  
 on my server.  This is the first large-scale automated SQL injection 
attack. Automated attacks have been around for a long time, as have SQL 
injection attacks.  Honestly, this current attack is just a nuisance. SQL 
injection attacks are usually more destructive, in that they often involve the 
theft of sensitive data. In those cases, of course, the attack is manual 
rather than automated. But if your site is vulnerable to this automated 
attack, it has always been vulnerable to these manual, destructive attacks - 
which may have already occurred without your knowledge.  Dave Watts, CTO, 
Fig Leaf Software http://www.figleaf.com/  Fig Leaf Software provides the 
highest caliber vendor-authorized instruction at our training centers in 
Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at 
your location. Visit http://training.figleaf.com/ for more information!  

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311332
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4


RE: SQL injection attack on House of Fusion

2008-08-20 Thread David Moore, Jr.
Well, it is my goal :) not there yet... Subject: Re: SQL injection attack on 
House of Fusion From: [EMAIL PROTECTED] To: cf-talk@houseoffusion.com Date: 
Wed, 20 Aug 2008 16:59:26 -0500  is cfqueryparam something a lot of 
programmers really use?   Only the good ones. ;)   Thanks,  Eric  
David Moore, Jr. wrote:  When you say Update Your Code, are you saying 
using cfqueryparam? But even so, the SQL injection still will use up 
countless resources instead of cutting it off early. So, go back and fix 
1,000's of lines of code I have developed over the last 'upteen' years or stop 
it before it starts? Is this something new to CF8 or just a necessary evil 
because of SQL Injection Attacks. Not trying to pick a fight, becuase I 
am sure you have forgotten more code than I will ever know (seriously) and I am 
probably just being lazy (seriously), but is cfqueryparam something a lot of 
programmers really use? I have never seen cfqueryparam used on any tags I 
have purchased or exchanged and I am afraid all I know is what I have learned 
from books and forums. This is the first I have ever heard of using 
cfqueryparam.~David G. Moore, Jr. Subject: Re: SQL injection attack 
on House of Fusion From: [EMAIL PROTECTED] To: cf-talk@houseoffusion.com 
Date: Wed, 20 Aug 2008 17:01:42 -0400   I am currently using the SQLprev.cfm 
from Jochem to stop the onslaught of superfluous bandwidth suckage from my 
server, but was wondering what the difference would be with this one. I am not 
looking to start a my SQL Injection blocker is better than yours, yet trying 
to educate myself on just what is going on and what is best to do.   My 
original SQLprev script (http://www.gravityfree.com/_sqlprev.cfm.txt)  just 
checks for basic SQL keywords with a semicolon in URL variables.  It's a quick 
and dirty way to give you some protection from bots  short-term while your 
code base is updated to use best practices and  secure coding methods. Mary 
Jo's is more thorough in that it checks  additional variable scopes, and can 
help protect better against  hand-drafted attacks, but may have a higher p 
otential for false  positives (though it's improved recently from what I can 
tell).  SQLPrev has a version compatible with CF5 for those who need it where 
 the other script relies on CFMX functions to run. I'm not saying one is  
better than the other, they both get the job done. Just use whatever  works 
best for you, and update your code so that you don't need either  of them 
g.   -Justin Scott  

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311333
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4


RE: SQL injection attack on House of Fusion

2008-08-20 Thread David Moore, Jr.
So, I have found like the Mother Load of good programmers who really care 
about Cold Fusion and take the time to do it right? Becuase every peice of code 
I have ever gotten from Adobe Exchange or Purchase from other sites has never 
had cfqueryparam. And I know Ben is going to shoot me, because looking back 
at some of his Advanced books now I see where he says I should be using it.
 
I guess my 10 hour days just turned into 14 hours. Anybody got a Starbucks 
Supersize Java Java Double Caffeine coupon?
 
Eric is pretty good at the Smack Down too, Eric The Great takes David the Geek 
over the ropes and into the first row of chairs! (Yes, I am from the South and 
everything references Wrestling or Nascar)
 
~David Subject: Re: SQL injection attack on House of Fusion From: [EMAIL 
PROTECTED] To: cf-talk@houseoffusion.com Date: Wed, 20 Aug 2008 16:59:26 
-0500  is cfqueryparam something a lot of programmers really use?   
Only the good ones. ;)   Thanks,  Eric  David Moore, Jr. wrote:  When 
you say Update Your Code, are you saying using cfqueryparam? But even so, 
the SQL injection still will use up countless resources instead of cutting it 
off early. So, go back and fix 1,000's of lines of code I have developed over 
the last 'upteen' years or stop it before it starts? Is this something new to 
CF8 or just a necessary evil because of SQL Injection Attacks. Not 
trying to pick a fight, becuase I am sure you have forgotten more code than I 
will ever know (seriously) and I am probably just being lazy (seriously), but 
is cfqueryparam something a lot of programmers really use? I have never seen 
cfqueryparam used on any tags I have purchased or exchanged and I am afraid 
all I know is what I have learned from books and forums. This is the first I 
have ever heard of using cfqueryparam.~David G. Moore, Jr. Subject: 
Re: SQL injection attack on House of Fusion From: [EMAIL PROTECTED] To: 
cf-talk@houseoffusion.com Date: Wed, 20 Aug 2008 17:01:42 -0400   I am 
currently using the SQLprev.cfm from Jochem to stop the onslaught of 
superfluous bandwidth suckage from my server, but was wondering what the 
difference would be with this one. I am not looking to start a my SQL 
Injection blocker is better than yours, yet trying to educate myself on just 
what is going on and what is best to do.   My original SQLprev script 
(http://www.gravityfree.com/_sqlprev.cfm.txt)  just checks for basic SQL 
keywords with a semicolon in URL variables.  It's a quick and dirty way to 
give you some protection from bots  short-term while your code base is updated 
to use best practices and  secure coding methods. Mary Jo's is more thorough 
in that it checks  additional variable scopes, and can help protect better 
against  hand-drafted attacks, but may have a higher p otential for false  
positives (though it's improved recently from what I can tell).  SQLPrev has 
a version compatible with CF5 for those who need it where  the other script 
relies on CFMX functions to run. I'm not saying one is  better than the other, 
they both get the job done. Just use whatever  works best for you, and update 
your code so that you don't need either  of them g.   -Justin Scott   
   

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311334
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4


Re: SQL injection attack on House of Fusion

2008-08-20 Thread Justin Scott
 I certainly don't feel picked on. I feel blessed to have a place where I can 
 learn from people who do know so much. And you are right. I (we) only seem to 
 learn under fire. I am a one man business owner in a small town with limited 
 resources and time. 10 hour days, work weekends, what is family time except 
 coaching baseball-soccer-basketball, and I have forgotten what sleep even is. 
 So, what do we do?

Well, the first step is getting more connected to the community, being 
exposed to different styles, and being on a list such as this one is a 
great start.  Presentations at user groups can also cover topics such as 
this if you have one near your area.

 So, what is PCI-DSS (he asks sheepishly) or is that a whole nother Post

In short, PCI-DSS is the Payment Card Industry Data Security Standard. 
It is required for any merchant who accepts, processes, handles, stores, 
or transmits credit card or debit card information.  It isn't law, but 
your merchant account (or those of your clients) will have provisions in 
their contracts that require compliance with these rules.  You can read 
more about it at:

https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml

That's another whole can o' worms though.


-Justin Scott



~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311335
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4


Re: SQL injection attack on House of Fusion

2008-08-20 Thread Justin Scott
 So, I have found like the Mother Load of good programmers who really care 
 about Cold Fusion and take the time to do it right?

Pretty much.  The skill level on the list varies from can express the 
meaning of life in ColdFusion to what's a database so your experience 
may vary.  I'd like to think that everyone here, including me, is 
looking to learn through the experience of others, so you're in the 
right place.  Welcome!


-Justin Scott



~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311336
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4


RE: SQL injection attack on House of Fusion

2008-08-20 Thread David Moore, Jr.
Consider me connected. At the same time, I will try not to just suck the life 
out of the list and provide substance where I can. I was a morning radio 
announcer for 20 years before becoming a web programmer, so if you can't 
remember the name of that song or artist - just ask. :)
 
As for the can o' worms. If you're ever in Spartanburg, SC, just bring 'em 
along and I can show you some really nice fishin!
 
Seriously, thanks everyone!
 
~David G. Moore, Jr. Subject: Re: SQL injection attack on House of Fusion 
From: [EMAIL PROTECTED] To: cf-talk@houseoffusion.com Date: Wed, 20 Aug 2008 
18:17:34 -0400   I certainly don't feel picked on. I feel blessed to have a 
place where I can learn from people who do know so much. And you are right. I 
(we) only seem to learn under fire. I am a one man business owner in a small 
town with limited resources and time. 10 hour days, work weekends, what is 
family time except coaching baseball-soccer-basketball, and I have forgotten 
what sleep even is. So, what do we do?  Well, the first step is getting more 
connected to the community, being  exposed to different styles, and being on a 
list such as this one is a  great start. Presentations at user groups can also 
cover topics such as  this if you have one near your area.   So, what is 
PCI-DSS (he asks sheepishly) or is that a whole nother Post  In short, 
PCI-DSS is the Payment Card Industry Data Security Standard.  It is required 
for any merchant who accepts, processes, handles, stores,  or transmits credit 
card or debit card information. It isn't law, but  your merchant account (or 
those of your clients) will have provisions in  their contracts that require 
compliance with these rules. You can read  more about it at:  
https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml  That's 
another whole can o' worms though.   -Justin Scott

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311337
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4


RE: SQL injection attack on House of Fusion

2008-08-20 Thread Dave Watts
 When you say Update Your Code, are you saying using 
 cfqueryparam?

Yes. That is the only mechanism guaranteed to prevent known and future SQL
injection attacks. Using a filter can protect you from the current attack
long enough for you to fix your broken code.

 But even so, the SQL injection still will use 
 up countless resources instead of cutting it off early. So, 
 go back and fix 1,000's of lines of code I have developed 
 over the last 'upteen' years or stop it before it starts? Is 
 this something new to CF8 or just a necessary evil because of 
 SQL Injection Attacks. 

It's only possible to stop something before it starts if you can clearly
identify what it is. In this attack, for example, there are some specific
keywords that you can use in a filter: DECLARE and CAST. The next attack may
use different keywords, or different permutations of the same keywords
(using Unicode sequences instead of ASCII characters, for example).

Your main concern is not the consumption of resources as a result of an
automated attack. That's just like any other denial of service attack,
basically. If you can filter it out successfully, that's good for you, but
you should be far more concerned with the results of a successful SQL
injection attack.

 is cfqueryparam something a lot of programmers really use?

A lot of (arguably, almost all) competent programmers use it. Fewer
incompetent programmers use it. I'm not trying to pick a fight with you
either; I'm not calling you incompetent. But at this point, web application
programmers using almost any language should be familiar with the concept of
prepared statements (what you're building with CFQUERYPARAM) and why they're
important.

 I am afraid all I know is what I have learned from books and 
 forums. This is the first I have ever heard of using cfqueryparam.

It's been mentioned periodically on this list for years. It's covered in the
official Adobe courseware, and in all of the CF books I've seen. That said,
I can see how you might not know about it if you don't pay relatively close
attention to all this stuff.

But with THAT said, it is your job and responsibility as a web developer to
be aware of best practices and requirements within that field. There are
PLENTY of resources about building secure web applications. Those resources
might not cover CF specifically all that much, but if you read in Open Web
Application Security Project (http://www.owasp.org/index.php/Top_10_2007),
for example, about the top ten vulnerabilities in web applications, you
would see that SQL injection is on the list and that you use prepared
statements to prevent it. Your next question should be, how do I build a
prepared statement in ColdFusion? You, as the web developer, are often
responsible for ALL SORTS of things that you're not going to learn in books
or forums: development issues like application security, interface issues
like usability and accessibility, business issues, deplooyment issues, etc,
etc. What's more, your responsibility may well be legally binding; in other
words, you might get sued for doing the wrong thing for a client.

Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/

Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311338
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4


Re: SQL injection attack on House of Fusion

2008-08-20 Thread Mike Kear
A while ago I read a totally rivetting book called The Art Of
Intrusion  by Kevin D Mitnick, the legendary hacker who was sent to
jail for his intrusion exploits.He runs a security company now,
that tests you security and reports back on how well you've done.

He says one of the most common failures of security systems of all
kinds is that they rely on a secure perimeter.The theory is that
if we keep the hoards out of the city at the boundaries,  that's all
we need to do.   Unfortunately all the bad guys need is a single crack
in that outer perimeter  and tehy can go wherever they like.   So his
hacking attempts usually meant hunting for some hole in the wall, and
once through that hole the entire enterprise was laid out for the
taking.

He'd find a router left online but unsecure by some lazy support
person who wanted to be able to work from home.  Or a long-forgotten
modem somewhere,   and once through that security hole,  there were no
other security blockers and teh whole network was his for the raping
and pillaging.

The lesson we learn from this?Dont rely on only one defense
mechanism.  All it takes is one crack in that armour and you're dead.
You need to use all the weapons you have at your disposal.   In this
case, we need to use the Regex blockers,  cfqueryparam,  strong
passwords,  regular password changing,   separate physical machines
for web and database - everything you can think of to make it more
difficult for the  attackers.

That book was a great read on its own, but a real education for me as
a web developer.  i heartily recommend it.   The opening chapter is
highly amusing - where he is hired to probe security at a company, and
at the review meeting where he presented his report,  he said 'yes i
managed to get in and managed to get some unauthorised access.And
i think you should have done a better job on your applicatoin for a
raise.   And did you know you are being paid less than others of
equivalent rank in your company?Oh and the profits you're going to
report next month are x xx xx ..   you have a secretary who is having
an affair with one of your senior execs. When their mouths gaped
open he finished it with the clincher .. oh and this PC i'm using for
the presentation - it's yours.  Your security manager gave it to me,
along with remote admin access to you network, and i have been working
remotely through your network for the past month.

A fantastic read.

Cheers
Mike Kear
Windsor, NSW, Australia
Adobe Certified Advanced ColdFusion Developer
AFP Webworks
http://afpwebworks.com
ColdFusion, PHP, ASP, ASP.NET hosting from AUD$15/month

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311339
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4


ColdFusion and Flex jobs

2008-08-20 Thread cf recruiter
http://cfrecruiter.blogspot.com/ 

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311340
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4


Re: SQL injection attack on House of Fusion

2008-08-20 Thread Mike Kear
Don't feel bad, David.   I am a freelance CF programmer.  I spend most
of my time working on bug fixes or feature enhancements on code
written by others.And the vast majority of files I work on have no
cfqueryparam.

Most of the code I work on really needs re-writing from scratch it's
so poorly written.   At least in my experience, very few CF
programmers use cfqueryparam.   It's quite frightening really.Not
only is the code vulnerable to attack, it's slow, inefficent, and
often just plain wrong.

I'd say one fo the best things you have ever done as a CF programmer
is join this list and pay attention to the things clever folks like
Dave Watts have to say.Rare is the day when I dont learn something
useful on this list.

-- 
Cheers
Mike Kear
Windsor, NSW, Australia
Adobe Certified Advanced ColdFusion Developer
AFP Webworks
http://afpwebworks.com
ColdFusion, PHP, ASP, ASP.NET hosting from AUD$15/month

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311341
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4


Re: Query Too Complex for Access?

2008-08-20 Thread Claude Schneegans
 Does anyone else know of any other ways?

Plenty of them, but no one is better ;-)

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311342
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4


Accessing Sharepoint file

2008-08-20 Thread Vamsi Pappu
Hi,

My mission is to copy the file directly from a sharepoint directory (which can 
only be accessed through url path like 
http://sharepointserver/docs/getfile.doc) into the coldfusion application 
server path (defined by mapping)

Issue is I tried using the cffile tag for it but I guess cffile doesn't handle 
the url path like (http://sharepointserver/docs/getfile.doc), so I went with 
cfhttp to resolve the url and get the content.

I am able to pass through all the syntax issues but it gives me an error saying 
you are not authenticated, actually there are no credentials set on the 
sharepoint server even though it gives me with the error message.

I'd appreciate if any one has a solution for this?

Thanks  Regards,
Vamsi



~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311343
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4


RE: Accessing Sharepoint file

2008-08-20 Thread Dave Watts
 My mission is to copy the file directly from a sharepoint 
 directory (which can only be accessed through url path like 
 http://sharepointserver/docs/getfile.doc) into the coldfusion 
 application server path (defined by mapping)
 
 Issue is I tried using the cffile tag for it but I guess 
 cffile doesn't handle the url path like 
 (http://sharepointserver/docs/getfile.doc), so I went with 
 cfhttp to resolve the url and get the content.
 
 I am able to pass through all the syntax issues but it gives 
 me an error saying you are not authenticated, actually 
 there are no credentials set on the sharepoint server even 
 though it gives me with the error message.

If you can get something via an HTTP request from a browser, but you can't
do the same with CFHTTP, you need to compare the two HTTP requests and see
what's different between them. You can use a packet sniffer or a recording
proxy to examine HTTP traffic.

Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/

Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311344
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4


Coldfusion IDE for Linux

2008-08-20 Thread Jesse Beckton
Is there a decent Coldfusion IDE out there for Linux?

And please don't say CFEclipse because it's just broke! The line numbers in 
the gutter do not display and I have seen the open tickets for this issue in 
their bug tracker and they have closed them with a won't fix!

http://trac.cfeclipse.org/cfeclipse/ticket/323

I would really like to run Linux as my primary OS but unfortunately their are 
no CF IDE's to speak of for the linux platform. 

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311345
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4


Re: Coldfusion IDE for Linux

2008-08-20 Thread Charlie Griefer
On Wed, Aug 20, 2008 at 6:01 PM, Jesse Beckton [EMAIL PROTECTED] wrote:

 Is there a decent Coldfusion IDE out there for Linux?

 And please don't say CFEclipse because it's just broke! The line numbers
 in the gutter do not display and I have seen the open tickets for this issue
 in their bug tracker and they have closed them with a won't fix!

 http://trac.cfeclipse.org/cfeclipse/ticket/323



Um... it's been changed to won't fix because it doesn't need fixin'.
There's a link on the trac page you linked to that'll take you to the wiki
and show you the resolution to the issue.

-- 
A byte walks into a bar and orders a pint. Bartender asks him What's
wrong? Byte says Parity error. Bartender nods and says Yeah, I thought
you looked a bit off.


~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311346
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4


Re: Coldfusion IDE for Linux

2008-08-20 Thread andrew lorien
When eclipse breaks for me (like the recent JVM-1.6.whatever issue)
i go back to gedit (and tell gnome to colour .cfm files like html).

really there are only two IDEs for Coldfusion on any platform -
dreamweaver and eclipse.  neither were built with cf in mind, so neither
of them are great.  i keep a windows machine for testing and playing
Oblivion, and sometimes i use eclipse there...

my discovery of the week though, was the subversion plugin for Thunar.
it's not tortoise, but it's good enough.

asdwerf

On Wed, 2008-08-20 at 21:01 -0400, Jesse Beckton wrote:

 Is there a decent Coldfusion IDE out there for Linux?
 
 And please don't say CFEclipse because it's just broke! The line numbers in 
 the gutter do not display and I have seen the open tickets for this issue in 
 their bug tracker and they have closed them with a won't fix!
 
 http://trac.cfeclipse.org/cfeclipse/ticket/323
 
 I would really like to run Linux as my primary OS but unfortunately their are 
 no CF IDE's to speak of for the linux platform. 
 
 

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311347
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4


Re: Coldfusion IDE for Linux

2008-08-20 Thread Mark Mandel
I run CFEclipse on Linux, and its no issue for me?

Ubuntu 8.04, Eclipse 3.4.0, Java 1.6.0_06-b02, CFEclipse 1.0.3

Mark


On Thu, Aug 21, 2008 at 11:01 AM, Jesse Beckton [EMAIL PROTECTED] wrote:
 Is there a decent Coldfusion IDE out there for Linux?

 And please don't say CFEclipse because it's just broke! The line numbers in 
 the gutter do not display and I have seen the open tickets for this issue in 
 their bug tracker and they have closed them with a won't fix!

 http://trac.cfeclipse.org/cfeclipse/ticket/323

 I would really like to run Linux as my primary OS but unfortunately their are 
 no CF IDE's to speak of for the linux platform.

 

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311348
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4


Re: cfhttp and Google Search Appliance

2008-08-20 Thread Kevin Stone
Hey Dave Watts,

Can you use cfhttp to add/delete/update collection configuration in a Google 
mini?  For example when we add a new collection on one of our systems can we 
use cfhttp to update the other or do we need to do it manually thru the admin 
console? 

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311349
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4


Re: Coldfusion IDE for Linux

2008-08-20 Thread Jesse Beckton
Sorry Charlie but that fix does not fix!

Luckily I came across another thread that provides a fix, you have to edit a 
file under your workspace, I would imagine that if you ever change your 
workspace you would have to make the same change there as well.

Um... it's been changed to won't fix because it doesn't need fixin'.
There's a link on the trac page you linked to that'll take you to the wiki
and show you the resolution to the issue.

-- 
A byte walks into a bar and orders a pint. Bartender asks him What's
wrong? Byte says Parity error. Bartender nods and says Yeah, I thought
you looked a bit off. 

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311350
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4


Re: Coldfusion IDE for Linux

2008-08-20 Thread Jesse Beckton
Maybe I'll try and run Homesite in wine? 

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311351
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4


Re: Coldfusion IDE for Linux

2008-08-20 Thread Charlie Griefer
right... with the recently released beta, you need to implement the fix you
just mentioned.  that's also referenced on the wiki at
http://trac.cfeclipse.org/cfeclipse/wiki/KnownIssues#Missinglinenumbers

it might take some tweaking, but given what you get for the price, i think
it's worth the tweaks.  ymmv.

On Wed, Aug 20, 2008 at 6:25 PM, Jesse Beckton [EMAIL PROTECTED] wrote:

 Sorry Charlie but that fix does not fix!

 Luckily I came across another thread that provides a fix, you have to edit
 a file under your workspace, I would imagine that if you ever change your
 workspace you would have to make the same change there as well.

 Um... it's been changed to won't fix because it doesn't need fixin'.
 There's a link on the trac page you linked to that'll take you to the wiki
 and show you the resolution to the issue.
 
 --
 A byte walks into a bar and orders a pint. Bartender asks him What's
 wrong? Byte says Parity error. Bartender nods and says Yeah, I thought
 you looked a bit off.

 

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311352
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4


Coldfusion Install Hangs on Installing Web Connectors

2008-08-20 Thread Bob Wright
Hello everyone.  I am stuck and am hoping someone here can help.

I am trying to install CF8 x64 on a Windows Server 2008 x64 box. Unfortunately, 
The installer hangs when trying to install the web connectors.

Before the install, I disabled Windows' firewall.  I also made sure that ISAPI 
Filters and IIS 6 Management Compatibility roles were installed.

Anyone here know how to get through this?  The deadline looms... 

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311353
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4


Re: Form submission issue

2008-08-20 Thread Karan Joshi
Thank you all. I managed to sort it out. I tried various methods to solve the 
problem, but the hidden field method worked out best for me. THanks 

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311354
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4


Re: onTap Framework FAST Installation videos

2008-08-20 Thread Geoff Bowers
2008/8/20 s. isaac dealey [EMAIL PROTECTED]:
 Have the onTap framework plus ORM and other plugins installed and
 running inside of 5 minutes, with no coding. And no webserver mapping
 (re: FarCry).

Worth noting that you've been able to run FarCry direct from the
webroot since the release of 5.0 earlier this year.  I published a
video of installing FarCry by dropping into the webroot on OpenBD (of
all things) last weekend as fate would have it:
  http://www.farcrycore.org/tv

Regards,

geoff
http://www.daemon.com.au/

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311355
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4


Re: SQL injection attack on House of Fusion

2008-08-20 Thread Mary Jo Sminkey
 P.S. Speaking of Smack Down's. Mary Jo's got a great right cross :) Go 
 get'em girl!

LOL, actually I am a pacifist at heart and always try to not lose my temper 
(serves me well with customers, particularly the endlessly annoying ones!) 

As for not knowing what cfqueryparam is and how to properly secure an 
application (there's more to it than just cfqueryparam) hopefully all these 
issues that people are dealing with will help such information make it's way 
into even beginner CF materials, and not have it be so much of an afterthought 
as it seems to have been up to this point. 

--- Mary Jo



~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311356
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4


Re: SQL injection attack on House of Fusion

2008-08-20 Thread Mary Jo Sminkey
 Eric is pretty good at the Smack Down too, Eric The Great takes David 
 the Geek over the ropes and into the first row of chairs! (Yes, I am 
 from the South and everything references Wrestling or Nascar)

Here's another smack down for youit would be nice if you could remove all 
the extra quoted stuff on your poststake a look at the online web archives, 
it really makes a mess of the thread! 

--- Mary Jo



~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311357
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4


RE: SQL injection attack on House of Fusion

2008-08-20 Thread David Moore, Jr.
Mary Jo,
 
Sorry. Didn't see all that. First time using this kind of post.   Here's 
another smack down for youit would be nice if you could remove all the 
extra quoted stuff on your poststake a look at the online web archives, it 
really makes a mess of the thread!  Will do better in the future. No way for me 
to go in an edit that once it is posted? YUCK. Where's a good Langolier when 
you need one? Thanks for the education though.
 
~David
P.S. I like your Smack Downs. You got GRIT! Were you wearing a cape or mask 
when you wrote that SMACK!?
_
See what people are saying about Windows Live.  Check out featured posts.
http://www.windowslive.com/connect?ocid=TXT_TAGLM_WL_connect2_082008

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311358
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4


RE: SQL injection attack on House of Fusion

2008-08-20 Thread David Moore, Jr.
Actually I am a pacifist at heart and always try to not lose my temper (serves 
me well with customers, particularly the endlessly annoying ones!) 
LOLOL. I am actually a moderately conservative liberal. I believe in loosing my 
temper only when I know I can't find it. 
 As for not knowing what cfqueryparam is and how to properly secure an 
 application (there's more to it than just cfqueryparam) hopefully all these 
 issues that people are dealing with will help such information make it's way 
 into even beginner CF materials, and not have it be so much of an 
 afterthought as it seems to have been up to this point. 
On a serious note, it would have been nice that I would have been more aware 
when I started coding those many years ago. I have more lines of code that need 
reworking than I care to think of, but I have to start somewhere. 
 --- Mary Jo
Thanks for your help today! You have been incredibly patient and kind. Now, I 
must go home because my wife has called for her third and last time, which 
means I am on the couch...
 
~David Rock Moore
 
_
Get ideas on sharing photos from people like you.  Find new ways to share.
http://www.windowslive.com/explore/photogallery/posts?ocid=TXT_TAGLM_WL_Photo_Gallery_082008

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311359
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4


Re: Web Service Issue , pls help

2008-08-20 Thread vishnu prasad
Hi 
when i try to access the web servies it gives the below error 
Web service operation RetrieveDocument with parameters 
{appUserID={_CISWS2},DocumentNumber={189425},ProfileForm={EKRIS_LAD_CPD_PF},DMlib={EKRIS},userID={_CISWS2}}
 cannot be found.  

Can someone help me how to acess the ws 

Below is my WSDL
  ?xml version=1.0 encoding=utf-8 ? 
- !--  @editor-info:link autogen=false source= 
  -- 
- definitions xmlns=http://schemas.xmlsoap.org/wsdl/; 
xmlns:conv=http://www.openuri.org/2002/04/soap/conversation/; 
xmlns:cw=http://www.openuri.org/2002/04/wsdl/conversation/; 
xmlns:http=http://schemas.xmlsoap.org/wsdl/http/; 
xmlns:jms=http://www.openuri.org/2002/04/wsdl/jms/; 
xmlns:mime=http://schemas.xmlsoap.org/wsdl/mime/; 
xmlns:s=http://www.w3.org/2001/XMLSchema; xmlns:s0=http://www.openuri.org/; 
xmlns:soap=http://schemas.xmlsoap.org/wsdl/soap/; 
xmlns:soapenc=http://schemas.xmlsoap.org/soap/encoding/; 
targetNamespace=http://www.openuri.org/;
- types
+ s:schema xmlns:s=http://www.w3.org/2001/XMLSchema; 
xmlns:ope=http://www.openuri.org/; elementFormDefault=qualified 
targetNamespace=http://www.openuri.org/;
- s:element name=RetrieveDocument
- s:complexType
- s:sequence
  s:element name=DMlib type=s:string minOccurs=0 / 
  s:element name=DocumentNumber type=s:string minOccurs=0 / 
  s:element name=VersionNo type=s:string minOccurs=0 / 
  s:element name=ProfileForm type=s:string minOccurs=0 / 
  s:element name=appUserID type=s:string minOccurs=0 / 
  s:element name=userID type=s:string minOccurs=0 / 
  /s:sequence
  /s:complexType
  /s:element
- s:element name=RetrieveDocumentResponse
- s:complexType
- s:sequence
  s:element name=RetrieveDocumentResult type=ope:Profile minOccurs=0 / 
  /s:sequence
  /s:complexType
  /s:element
  s:element name=Profile nillable=true type=ope:Profile / 
- s:complexType name=Profile
- s:sequence
  s:element name=ContentMimeType type=s:string minOccurs=0 / 
  s:element name=ProfileName type=s:string minOccurs=0 / 
  s:element name=ProfileType type=s:string minOccurs=0 / 
  s:element name=ProfileTitle type=s:string minOccurs=0 / 
  s:element name=ProfileProperties type=ope:ProfilePropertyList 
minOccurs=0 / 
  s:element name=LocalFilePath type=s:string minOccurs=0 / 
  s:element name=ErrorMsgs type=ope:ArrayOfString minOccurs=0 / 
  /s:sequence
  /s:complexType
- s:complexType name=ProfilePropertyList
- s:sequence
  s:element name=ProfileProperties type=ope:ArrayOfProfileProperty 
minOccurs=0 / 
  /s:sequence
  /s:complexType
- s:complexType name=ArrayOfProfileProperty
- s:sequence
  s:element name=ProfileProperty type=ope:ProfileProperty nillable=true 
minOccurs=0 maxOccurs=unbounded / 
  /s:sequence
  /s:complexType
- s:complexType name=ProfileProperty
- s:sequence
  s:element name=PropertyName type=s:string minOccurs=0 / 
  s:element name=PropertyValue type=s:string minOccurs=0 / 
  /s:sequence
  /s:complexType
- s:complexType name=ArrayOfString
- s:sequence
  s:element name=String type=s:string nillable=true minOccurs=0 
maxOccurs=unbounded / 
  /s:sequence
  /s:complexType
  /s:schema
  /types
- message name=RetrieveDocumentSoapIn
  part name=parameters element=s0:RetrieveDocument / 
  /message
- message name=RetrieveDocumentSoapOut
  part name=parameters element=s0:RetrieveDocumentResponse / 
  /message
- message name=RetrieveDocumentHttpGetIn
  part name=DMlib type=s:string / 
  part name=DocumentNumber type=s:string / 
  part name=VersionNo type=s:string / 
  part name=ProfileForm type=s:string / 
  part name=appUserID type=s:string / 
  part name=userID type=s:string / 
  /message
- message name=RetrieveDocumentHttpGetOut
  part name=Body element=s0:Profile / 
  /message
- message name=RetrieveDocumentHttpPostIn
  part name=DMlib type=s:string / 
  part name=DocumentNumber type=s:string / 
  part name=VersionNo type=s:string / 
  part name=ProfileForm type=s:string / 
  part name=appUserID type=s:string / 
  part name=userID type=s:string / 
  /message
- message name=RetrieveDocumentHttpPostOut
  part name=Body element=s0:Profile / 
  /message
- portType name=retrieveDocumentAttachmentSoap
- operation name=RetrieveDocument
  documentationRetrieve Document Web Service Description: This web service 
retrieves the required document profile and the document file for the user id 
Parameters: DMLib - Name of the DM Repository/Library where the document to be 
retrieved resides in DocumentNumber - The unique identifier of the document to 
be retrieved VersionNo - Optional parameter. The version of thew document to 
retrieve. If null, will retrieve latest version ProfileForm - The document 
profile Form to use appUserID - The user ID of the application account calling 
this webservice (DM account) userID - The user ID of the actual user using this 
webservice (DM account) Returns: Document Profile of successfully retrieved 
document Byte Stream of document Retrieved String Array of Error 
Messages/documentation 
  input message=s0:RetrieveDocumentSoapIn / 
  output 

Re: SQL injection attack on House of Fusion

2008-08-20 Thread Jochem van Dieten
David Moore, Jr. wrote:
 I am currently using the SQLprev.cfm from Jochem

The what from whom?

Jochem

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311361
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4


RE: SQL injection attack on House of Fusion

2008-08-20 Thread David Moore, Jr.
OK. I thought it was from you. I was sent an email with the link to SQLprev.cfm 
in an email and they referenced I use your suggestion in the email as well. I 
stuck the two together. David Moore, Jr. wrote:  I am currently using the 
SQLprev.cfm from Jochem
Jochem Wrote?  The what from whom?Please don't shoot me. I am new to all this? 
Sleep deprived...
 
~David
_
Talk to your Yahoo! Friends via Windows Live Messenger.  Find out how.
http://www.windowslive.com/explore/messenger?ocid=TXT_TAGLM_WL_messenger_yahoo_082008

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311362
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4


RE: SQL injection attack on House of Fusion

2008-08-20 Thread Jenny Gavin-Wear
I'm using WhosOn, an IIS server monitor.  It does an auto look up on the
location of the IP and I can also set it up to record alerts for keywords,
such as DECLARE.

www.whoson.com


-Original Message-
From: Brad Wood [mailto:[EMAIL PROTECTED]
Sent: 09 August 2008 18:37
To: CF-Talk
Subject: Re: SQL injection attack on House of Fusion


Bobby, what have you been using to look up the origin of the IPs en masse?
I found a site that let's me do a handful at a time, but I don't know how
accurate the data it. It is saying the majority of my IPs originated from
the US.

~Brad

- Original Message -
From: Bobby Hartsfield [EMAIL PROTECTED]
To: CF-Talk cf-talk@houseoffusion.com
Sent: Saturday, August 09, 2008 11:58 AM
Subject: RE: SQL injection attack on House of Fusion


 Now look at how many of those are from Asia Pacific Network Info Centre




~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311363
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4


RE: SQL injection attack on House of Fusion

2008-08-20 Thread Jenny Gavin-Wear
This is totally off topic in this list, but I'll make this comment and
that's an end to it.

Your expression asked for rape defies the logic of your argument.  Asked
for rape would mean she asked for sex and would therefore be a consenting
adult, ie, not a rape victim.

Overall a really bad and totally insensitive analogy, the likes of which I
hope we never see on this list again.

Enough 

-Original Message-
From: Mark Kruger [mailto:[EMAIL PROTECTED]
Sent: 11 August 2008 16:24
To: CF-Talk
Subject: RE: SQL injection attack on House of Fusion


Rick,

While your argument is well put, perhaps we could choose a slightly less
inflammatory analogy than rape. We have a large group here and I wouldn't
want anyone to be incensed by trivializing such a traumatic event (although
obviously that is not the intent).

-Mark

-Original Message-
From: Rick Faircloth [mailto:[EMAIL PROTECTED]
Sent: Monday, August 11, 2008 9:45 AM
To: CF-Talk
Subject: RE: SQL injection attack on House of Fusion

This would probably be more productively viewed as as responsibility
issue, rather than blame.

Both parties, webmaster and attacker, bear responsibility for the status of
the server/data/etc.

A negligent server/website admin bears a certain amount of responsibility
for the situation.  The attacker also bears responsibility for the
consequences of the attack.

A court of law might hold only the attacker ultimately responsible.
However, the supervisor of a negligent server/website administrator would
view it as shared responsibility between the attacker and the attacked, as
in, Why wasn't the server/website protected in the first place?

Viewing this as a rape case, if a girl was hanging out on a street corner
and asking passers-by to rape her, then, yes, she bears some responsibility
for putting herself in that situation.  It doesn't mean the one who rapes
her doesn't bear the greater responsibility for the situation, and,
therefore, punishment, but a fair judge would have to ask the girl why was
she asking passers-by to rape her in the first place.

Girls should reasonably avoid provoking rapists, and rapists should resist
their impulses.

Likewise, server/website admins should reasonably protect their servers and
websites, but hackers should avoid their impulses or share responsibility
for the situation.

Rick





~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311364
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4


RE: cfhttp and Google Search Appliance

2008-08-20 Thread Dave Watts
 Hey Dave Watts,

 Can you use cfhttp to add/delete/update 
 collection configuration in a Google mini? 
 For example when we add a new 
 collection on one of our systems can we 
 use cfhttp to update the other or do we
 need to do it manually thru the admin 
 console?

Hey, Kevin!

Yes, you can! However, it's a pain. You'll need to capture the cookie from your 
initial request, then send admin credentials  in an HTTP POST, then do the 
collection submission.

Dave Watts, CTO, Fig Leaf Software 

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311365
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4