Another Reminder About cfqueryparam
OK, this may sound harsh, but as part of my consulting role I still see people and organizations not using cfqueryparam in their ColdFusion code:
If you're developing live applications in ColdFusion and not using cfqueryparam you should be held personally, if not criminally, responsible for any damage caused to your organization as a result of the well-known SQL-injection attack that's making the rounds.
Just this morning I received an email alert from Ray Camden's excellent BlogCFC application (which I'm using to run this blog), informing me of a ColdFusion error. When I looked closely at the cfdump included in the message, I noticed that it was the result of someone trying to insert invalid SQL into the RSS feed CFM.
Because he used cfqueryparam, however, the SQL statement failed and CF threw the following error. Well done, Ray! Probably the first time I've been happy to get an error report.
If you're not aware of this tag, go here right now and learn about it.
It would be even better though if BlogCFC noticed the invalid value and just pushed the request to /. I do that in a few places, like the RSS page, but probably not everywhere.
Event better, push it back to the offending domain to put additional load on their servers;)
Got to be careful with sending back to the referrer - that can be spoofed and then you're just hammering a potential innocent bystander.
thanxx Oliver Merk..
