Cross site scripting and SQL injection

-

we have developed application in coldfusion 6.1 . have found our application vulnerable cross site scipting , sql injection. can 1 me out solve problem .

 

and suggest if need install hotfixes or component available .

coldfusion has built-in defence against cross-site scripting , injection attacks. scriptprotect attribute of cfapplication tag. however, included coldfusion mx7.x onwards. have thought migrating coldfusion 8? many other benefits besides.

 

luckily, there handy device against cross-site scripting , injection attacks, namely, cfqueryparam tag.  present in mx 6.1.

 

sql injection happens user data enters query. so, have extended search queries in application. identify form variables , url variables enter queries.

 

do validation variables before query. example, simple test numbers using isnumeric() may that  required. if value fails validation, reject it, throw exception, , abort.

 

use cfqueryparam in each case enter form , url variables query. beware of variables in other scopes, such session.userid, entered application form or url variables. have sanitized using cfqueryparam.

 

last but, certainly, not least, psychological part of defence. remember there @ other end, trying cause mischief application. might customer, colleague or acquaintance of yours, or ex-customer or ex-colleague. realize in same building or in same room you.

 

take war them. try identify ip addresses. clues , patterns in attacker's behaviour. frequency, times of day, parts of application attacked, , on. study data attacker enters. attackers carried away , unintentionally leak out details themselves.

 

build dossier. in countries, in western countries, cross-site scripting , injection attacks, particularly concerted attacks, count crime  nowadays.



More discussions in ColdFusion


adobe

Comments

Post a Comment

Popular posts from this blog

Joomla site hacked, cant see front and - Joomla! Forum - community, help and support

-
hi all; here thing: i went see site because haven't visited week or 2 , surprised when saw white page some provocation written on tab , acronym of attacker on page. i log on ftp server see if files there , found vital data remind safe. i tried put site off line got same hackers index.html file displaying when press "preview" button in joomla admin. deleted index.html file , tried check offline site option again. time got offline page. but problem resumes when put site online... white page, nothing else written. site date, , joomla updated v. 1.5.10 few days back. virtuemart commponent installed, newest v. 1.1.3 do need install fresh joomla copy , overwrite files previous including data base, or can avoid job fixing index.html on front end. i didn't make backup copy of site, i'll if not working save date in case potential hacker delete server... any suggestions? check template index.html file (edit html in template manager active template) usual source of hacking...
Read more

Christian Home School Programs - Joomla! Forum - community, help and support

-
Image
hello guys, (my first custom template) i got son in accelerated christian home school program. they did not have web site designing , hosting cover fees in trade. website: christian home school programs i've not got content published... the graphics imagination i've installed jumi i have directphp installed mostly custom css layout , i've used css purity seo, christian home shool - 200 million+ organics i have optimized code behind visual design crawlers. any thoughts / recommendations? i'm new custom templating in joomla ears open gurus of joomla richard hey, well done on first custom template. i don't background... @ all. think should going more professional look, maybe isnt repeating on both x , y axis, , isnt shade of blue. as far content goes, there isnt much... site performance good. good luck tim Board index Joomla! Official Sites & Infrastructure Sites & Infrastructure - Feedback/Information ...
Read more

Trouble with PF_OutFlag_I_USE_AUDIO and PF_CHECKOUT_LAYER_AUDIO

-
i trying render graphical representation of layer's audio waveform. have seen this similar thread , problem checking out audio, cannot far.   in globalsetup function set out_flags thus..   out_data-> out_flags = pf_outflag_i_use_audio;   but in pf_cmd_frame_setup function, , pf_cmd_render function ( pf_cmd_smart_pre_render pf_cmd_smart_render)   the pf_indata src_snd structure empty , in_data->start_sampl == 0, in_data->dur_sampl == 0, in_data->total_sampl == 0     i missing something, appreciate guidance,   thanks   steve (london, uk - adobe plugin developers nearby?) More discussions in After Effects SDK adobe
Read more