Guess what, Using CFPARAM in your ColdFusion code, may not always save you from SQL Injection.
"How?", you may ask. Let me give you an example of an SQL injection attack that's not caught by cfqueryparam.
SQL injection can occur any time cautions are not taken to completely separate your SQL code from its parameters and the parameters being passed in are allowed to flow into the SQL statement itself. SQL injection can also occur when building the SQL statement's table and column names dynamically.
Read more...
Most web applications interact with a database, and the data stored therein frequently originates from remote sources. Thus, when creating an SQL statement, you often use input in its construction. A typical SQL injection attack exploits this scenario by attempting to send fragments of valid SQL queries as unexpected values of GET and POST data. This is why an SQL injection vulnerability is often the fault of poor filtering and escaping, and this fact cannot be stressed enough.
I'm going to explains SQL injection by looking at a few example attacks and then introducing some simple and effective safeguards. By applying best practices, you can practically eliminate SQL injection from your list of security concerns.
Preventing SQL Injection in PHP & Coldfusion
Read more...
Look beyond politics and hype when deciding which to use.
Takeaway: MySQL may be free, but what if money isn't the only determining factor? Find out how these two database heavyweights stack up against each other and how to decide which one to use as your database system.
Two of the most popular back-end data stores Web developers work with today are MySQL and SQL Server. They are fundamentally similar in that both are data storage and retrieval systems. You can use SQL to retrieve data with either because both claim support for ANSI-SQL. Both database systems support primary keys and key indices, so you can also create indices used simply to speed up queries and for constraining input. Further, both provide some form of XML support.
Aside from the obvious difference of price, what distinguishes these two products from each other, and how do you choose between them? Let's take a look at the core differences between these two products, including licensing costs, performance, and security.
Read more...
I have heard many a shop discuss the old argument of SQL Server or MySQL, and generally the System Admin somewhere always sqashes MySQL as it has always appeared to me that they don't fully understand the capabilities of MySQL versus SQL Server. This is genrally because of outdated information on the Internet, and with the end result often being that antiquated views and opinions are quoted or otherwise recycled without the end users of such information ever knowing that the data either no longer applies or perhaps was never correct to begin with.
As a Web Development professional, you should be mindful of this when going about your research because you wouldn't want to be making a costly decision based on incorrect information. So exactly what myths will we attempt to undo?
Read more...
Here's the situation. A user is viewing a report online. The business owner of the application decided to provide a nice PDF format of the data, all the user needs to do is click a button, perhaps named "print". The CF server generates the PDF, hands it off to the browser through either CFLOCATION or CFCONTENT. So now the user has the PDF loaded in a secondary window and have to go hunt for the print button again. But fear not, dear user! We'll save you by judicious use of XML, Javascript, and ColdFusion.
Read more...
Previous Entries