Coder's Revolution

Do you want a revolution?

Category Filtering: 'SQL'

When will cfqueryparam NOT protect me?

ColdFusion, Security, SQL
JR asked a good question on my queryparam Scanner post. He noticed that I had stopped short of saying cfqueryparam would ALWAYS stop ALL SQL injection. He said, "Can you give an example of a SQL Injection attack which is not caught by cfqueryparam ?" I'm glad you asked JR.
Comments are currently closed

QueryParam Scanner- You've got no excuse now

ColdFusion, Security, SQL, Technology
This April, Peter Boughton put a little tool on RiaForge called QueryParam Scanner. It does what it says and that means you have no excuse not to batten down the hatches on that old code you've got swept under the rug. It also meant I didn't have any excuses either, so I gave it a run tonight.
Comments are currently closed

Just when you felt safe... SQL Injection and MySQL

ColdFusion, SQL
Zac Spitzer recently blogged about an article explaining how to hack ColdFusion. Overall the "exposé" was mostly meaningless drivel not having anything much to do specifically with ColdFusion itself. It was accompanied by an array of Code Samples that look like they were written by a third grader. One point the article made though caught my eye. It claimed MySQL would let you inject SQL into a cfquery not using cfqueryparam even if the variable was enclosed in single ticks. "Could it be?", I scoffed. Oh yes, yes it is true.
Comments are currently closed

Ask and you will (hopefully) receive

ColdFusion, General, SQL
Do you know the address of the Adobe page for requesting bug fixes and product enhancements? Yes, that magical gateway of mystery and wonder that rhymes with a popular children's game.
Comments are currently closed