chapter31

Mark Kruger has another interesting and timely read about an ambitious SQL injection attack one of his clients recently experienced.

One things for sure, it’s certainly an *interesting* time to be a developer. Hackers and spammers make sure of that

SQL injection has been around for so long, it is truly a crime if developers (ColdFusion developers at least) aren’t using cfqueryparam for every WHERE clause in their queries. ColdFusion 8 allows you to use cachedwithin whilst using queryparam, so there is really no excuse.

And as Mark says…client side validation is a nice user experience but doesn’t cut it at all. If you or someone on your team uses client side (JavaScript) validation only and/or doesn’t sanitise user/URL parameters then they need to be educated or get out of the game.

Update 25th July 2008

Pete Freitag has a nice article about the times where you can’t use cfqueryparam, and some nice solutions you can try instead. Well worth a read.

Related Pages

• Facebook homepage source code found!
• Latest Firefox breaks FarCry 3 context menu
• Wordpress for mobile devices

This entry was posted on Saturday, July 19th, 2008 at 1:59 am and is filed under ColdFusion. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.