Blog

Category Filtering: 'CF'

Remove Filter


Watch those relative URLs with SES

Posted by Brad Wood
Aug 09, 2008 10:21:00 UTC
I love infinite loops. They're sort of the black hole of programming. No one really knows what you code does when it reaches the last iteration of an infinite loop, but I speculate it has something to do with String Theory and unbounded time and space increasing proportionately to the rate of dense matter being compressed by gravitational forces so strong even light can't escape. Well, that's what I came up with off the top of my head anyway. Speaking of infinite loops, I found one happening on my server today.

Bitwise Operators: A Bit Wise

Posted by Brad Wood
Aug 02, 2008 08:25:00 UTC
Here's a couple functions you've probably rarely used in ColdFusion: bitand(), bitor(), bitnot(), bitxor() etc. Frankly I've rarely needed any of them, but this week I did find a clever use for bitand(). I was messing around with a simple database-driven calendar I put on my church's website because I promised them a reoccurring event feature. I needed a simple way to store 12 "monthly" checkboxes without using 12 columns in the database.

Operation cf_SQLProtect: 16,000 cfqueries protected

Posted by Brad Wood
Aug 01, 2008 06:25:00 UTC
I have confirmed at least 16,000 individual cfquery tags which have been protected from SQL injection vulnerabilities by having cfqueryparam added to them.

ColdFusion Levenshtein Distance: String comparison and highlighting

Posted by Brad Wood
Jul 29, 2008 22:01:00 UTC
This is a fun project I put out there a while back. I recently went through and optimized the performance a bit so I could officially blog it. It is an implementation of the Levenshtein Distance Algorithm in CFScript that I based off of a C# version written by Siderite Zackwehdex. Finding the "distance" between two strings is a means of comparing two strings to see how similar they both are. This can be done by finding the Longest Common String or LCS. It is as much a brain bender as it can be occasionally useful.

cfqueryparam: it's not just for security-- also, when NOT to use it

Posted by Brad Wood
Jul 26, 2008 16:33:00 UTC
I generally don't care to write about topics that have already had the stuffing blogged out of them. However, I've still seen some of these questions floating around and I figure it never hurts to have more than one place on the 'net talking about it. The two things I wanted to cover real quick are how cfqueryparam may (or may not) enhance the performance of your queries. Also, when does criteria in a query NOT need a cfqueryparam.

Today is Operation cf_SQLprotect

Posted by Brad Wood
Jul 25, 2008 20:45:00 UTC
Today is the day. Unless you can bet money that every cfquery in your application is completely safe from SQL inject attacks you need to stop what you are doing and scan your sites. I have reviewed two cfqueryparam scanners to find vulnerable queries and one of them will even fix 95% of your code for you! If your boss asks what you are doing, tell him you found a security vulnerability being exploited and it needs to be closed. He'll understand.

Announcing the first ever International Operation cf_SQLprotect

Posted by Brad Wood
Jul 24, 2008 12:58:00 UTC
Hear Ye, Hear Ye! I hereby declare Friday, July 25th as the first ever International Operation cf_SQLprotect. In response to the massive amount of SQL injection attacks in the past few weeks I want the ColdFusion community to be doing our darndest to keep our applications safe from harm. This Friday, I want everyone who has a site big or small, well known or obscure, to join the world and scan their code base for vulnerable queries and fix them.

Parameterize your queries without lifting a finger

Posted by Brad Wood
Jul 24, 2008 11:05:00 UTC
Tuesday I blogged Peter Boughton's QueryParam Scanner from RiaForge. Today I'm taking a look at Daryl Banttari's Query Parameterizing tool. Daryl's scanner has an interesting twist. Not only does it find unparameterized queries, it will automatically FIX them FOR you! Daryl Banttari works for WebApper and is part of the genius behind SeeFusion

When will cfqueryparam NOT protect me?

Posted by Brad Wood
Jul 22, 2008 20:31:00 UTC
JR asked a good question on my queryparam Scanner post. He noticed that I had stopped short of saying cfqueryparam would ALWAYS stop ALL SQL injection. He said, "Can you give an example of a SQL Injection attack which is not caught by cfqueryparam ?" I'm glad you asked JR.

QueryParam Scanner- You've got no excuse now

Posted by Brad Wood
Jul 22, 2008 10:07:00 UTC
This April, Peter Boughton put a little tool on RiaForge called QueryParam Scanner. It does what it says and that means you have no excuse not to batten down the hatches on that old code you've got swept under the rug. It also meant I didn't have any excuses either, so I gave it a run tonight.

Site Updates

Entries Search