Coder's Revolution

Do you want a revolution?

Category Filtering: 'SQL'

Does OOP Encourage RBAR?

ColdFusion, Java, Object Oriented Design (OOP), Performance, SQL
I've been staring at my computer monitor trying start this paragraph for about 10 minutes now, so I'm just going to start typing. I've been thinking about system design. Organization versus performance. Design patterns versus efficiency. We adopt some code without thought to its performance because we're talking about milliseconds, and the readability, organization, and structure gains our apps enjoy are well worth it. I'm not sure that is always the case though, and we don't notice it until too late.
Comments are currently closed

SQLi Is Back With A Small TwIST

ColdFusion, Security, SQL
Well, after a brief hiatus, the SQL Injection attacks have reconvened with a small change. They have modified the capitalization of a couple words in the URL. "DECLARE" has become "DeCLARE", and "EXEC" has become "ExEC". This is obviously to get around people who employed case-sensitive filtering mechanisms.
Comments are currently closed

My analysis of the SQL injection zombies

JavaScript, Security, SQL, Technology
So as the SQL injection attacks have rained down on my server for the past few days, my logs have been steadily filling up with data about the requests. Frankly, the data probably can't be trusted, it's all totally un-scientific, and doesn't really lead me any closer to the people responsible for the attacks. Regardless, I think it's pretty interesting. I've compiled some graphs and stats here.
Comments are currently closed

Watch those relative URLs with SES

ColdFusion, General, Performance, Security, SQL, Technology
I love infinite loops. They're sort of the black hole of programming. No one really knows what you code does when it reaches the last iteration of an infinite loop, but I speculate it has something to do with String Theory and unbounded time and space increasing proportionately to the rate of dense matter being compressed by gravitational forces so strong even light can't escape. Well, that's what I came up with off the top of my head anyway. Speaking of infinite loops, I found one happening on my server today.
Comments are currently closed

Operation cf_SQLProtect: 16,000 cfqueries protected

ColdFusion, Security, SQL
I have confirmed at least 16,000 individual cfquery tags which have been protected from SQL injection vulnerabilities by having cfqueryparam added to them.
Comments are currently closed

MySQL performance: INNER JOIN vs. sub-select

Performance, SQL
I ran into an interesting behavior with MySQL this week. I was helping someone speed up a slow page and a sizable increase in performance was achieved by simply re-arranging the SQL statement. The page was calling a SQL statement inside of a loop-- probably around 150 times on a page load. My initial idea (and still the best long-term one I think) was to gather all the information from the database in a single cfquery and not hit the database over and over. That approach would have required quite a lot more refactoring of code, so first we tried to squeeze some better performance out of the SQL already being called.
Comments are currently closed

cfqueryparam: it's not just for security-- also, when NOT to use it

ColdFusion, Performance, Security, SQL
I generally don't care to write about topics that have already had the stuffing blogged out of them. However, I've still seen some of these questions floating around and I figure it never hurts to have more than one place on the 'net talking about it. The two things I wanted to cover real quick are how cfqueryparam may (or may not) enhance the performance of your queries. Also, when does criteria in a query NOT need a cfqueryparam.
Comments are currently closed

Today is Operation cf_SQLprotect

ColdFusion, Security, SQL
Today is the day. Unless you can bet money that every cfquery in your application is completely safe from SQL inject attacks you need to stop what you are doing and scan your sites. I have reviewed two cfqueryparam scanners to find vulnerable queries and one of them will even fix 95% of your code for you! If your boss asks what you are doing, tell him you found a security vulnerability being exploited and it needs to be closed. He'll understand.
Comments are currently closed

Announcing the first ever International Operation cf_SQLprotect

ColdFusion, General, Security, SQL
Hear Ye, Hear Ye! I hereby declare Friday, July 25th as the first ever International Operation cf_SQLprotect. In response to the massive amount of SQL injection attacks in the past few weeks I want the ColdFusion community to be doing our darndest to keep our applications safe from harm. This Friday, I want everyone who has a site big or small, well known or obscure, to join the world and scan their code base for vulnerable queries and fix them.
Comments are currently closed

Parameterize your queries without lifting a finger

ColdFusion, Security, SQL
Tuesday I blogged Peter Boughton's QueryParam Scanner from RiaForge. Today I'm taking a look at Daryl Banttari's Query Parameterizing tool. Daryl's scanner has an interesting twist. Not only does it find unparameterized queries, it will automatically FIX them FOR you! Daryl Banttari works for WebApper and is part of the genius behind SeeFusion
Comments are currently closed