CFPROCPARAM 1 - SQL injection 0

Recently I have been getting a bunch of errors emailed to me from my blog. I finally got time to look into it this past weekend and found out some interesting things. The errors were being caused by an attempted SQL injection. The injection attempts did not work thanks to CFPROCPARAM.


Coldfusion auto start on Ubuntu

Lately I have been playing around a little with Ubuntu. The server version of the OS is very similar to the desktop version. The main difference is that there is no GUI. This can be solved by installing the Ubuntu UI. However, you can do what I did and install Webmin. It is a browser based UI that allows you to do just about everything. This is because I am CLI illiterate.

Once I got CF running I wanted to set it up so that it would auto start with the OS. Since I had Webmin this was very easy. Well, kinda, I had to figure out what the start up command would be. So after digging and then trial and error here are the steps I came up with.


SQL injection can ruin your day

Yesterday I had the pleasure of fixing a site that got hit with SQL injection. The injection that was done was quite elaborate and was quite harmful. The injection managed to alter data in multiple tables. Then when the data was read out it caused havoc on the front end.

We had to write some elaborate sql to reverse the damage and try and restore the system. In the end we ended up loosing a ton of data. The damage done was so extensive that we were not able to repair everything. We could have just gone to a backup but that would have caused more issues than it solved.

Once the damage was fixed I then got to work on preventing it. Funny thing was that the prevention took seconds to implement. The problem was that the CF database user had to much rights. It took just seconds to run some update statements and reduce the rights that CF had. Once done the same injection attempt that messed it all up to begin with failed.

So, the moral of the story... 1: Make sure the person setting up the database sets rights correctly. 2: Never assume the database guy did his job. 3: Follow best practices and do your best to prevent this on the CF side.

Till next time...


CFLOOP and URL vars

I will preface this by stating you will probably not want to do this. However, I figured I would blog about it anyways as the outcome was very strange.

In a system I was working on I was attempting to reuse some code to expedite some new development. What I did was create a wrapper for an existing cfm. I used cfinclude to bring in the code we were going to reuse and then looped over it. The code that was being looped generated images for output to a browser. So instead of an image tag pointing to a .jpg for instance, it pointed to our image.cfm. I was looping this image code to generate large amounts of images in one call.

Here is the code that was doing the loop and returning an array of what was done. The image.cfm file was expecting url vars so we just set them prior to the include. We then built an array of the image path generated and the url var structure. This way the code could then loop through was was generated later.

view plain print about
1<CFSET ResArray = arrayNew(2)>
3<CFLOOP QUERY="getItems">
4     <CFSET url.a = item_id>
5    <CFSET url.height = 300>
6    <CFSET url.width = 200>
7    <CFINCLUDE TEMPLATE="image.cfm">
8    <CFSET ResArray[i][1] = 'generated image path'>
9    <CFSET ResArray[i][2] = url>

The strange part in all this was what came out at the end in the array. Every second dimension of the array was identical. It was always the information from the last row in the query. So this leads me to believe that even though I am setting the second dimension of the array what the url struct is it does not matter. It appears to just make a reference to the url struct.


ColdFusion 8 performance timing

I was reading a post on the cftalk list about interesting timing numbers via cf script and cfset. Read it here.

The post referenced a blog entry from Neil Middleton that published the timing numbers for doing some set statements via cf7, cf8, and I noticed when reading the blog that the numbers posted were based on cf8 beta and not the release version. So, I decided to redo the tests posted and see how they differ from the post. Here is what I found...


Hey, that is undocumented!

While working on a new application I ran into an interesting issue. The solution to the issue was complex, and I was not pleased with the result. The solution was far from elegant or streamlined. The code was totally bloated, but for necessary reasons. I reworked the code a few times and made it more compact but the end result was still not pleasing.

I bet you are saying, "If it works leave it alone" or something like that. If so I would tend to agree. However, I am one of those people that would spend an hour coding to squeeze out 500ms of processing. I am very critical of what I write and do my very best to make performance paramount.

After leaving the code sit for a few days I want back to it with a clear head. I then started poking around the net looking for ideas. I then started playing around using underlying java objects to make the code better. I then found some undocumented functions in CF that made the code even better.


ColdFusion 8 Linux Upgrade

I just did an upgrade of a server running ColdFusion 7 enterprise running on Red Hat Linux. The upgrade went great, no issues or problems at all. After it was done I tried to load the administrator to migrate the setting from CF7 to 8. In the browser I received this cryptic error message:

view plain print about
1500 coldfusion.runtime.CfJspPage._setCurrentLineNo(I)V

My first thought was, what the hell does that mean. Then thought, lets restart CF and see if that clears it up. So, I go and restart CF and it reports that CF is not running then starts CF. I then try and load the administrator and it now works.

I did some checking and the install docs tell you to start cf after the install completes then load the administrator. However, the installer states the install is complete. Load the administrator to complete the install.

So, I guess the moral of the story is to A: make sure you read the docs. B: Make sure that the info in the installer and the docs match. C: Error messages should be helpful and not add to the already apparent issue.

Till next time...


clearBuffer() does not remove CFAJAXIMPORT JS

If you have the following in your code be carefull. The JS code generated by the CFAJAXIMPORT tag is still generated. The clearBuffer function does not remove it from the output.

view plain print about
1<CFAJAXIMPORT TAGS="cfwindow, cfgrid">
3<CFSET void = getPageContext().getOut().clearBuffer()>

Till next time...


CFUG Directory Watcher Presentation clarifications


During my presentation to the CFUG on the directory watcher gateway there were some questions posed to me and some points I brought up about the watcher in general. Tom Jordahl was kind enough to blog about the presentation and provide some clarification.

Thanks Tom!

Till next time...


ArrayIsDefined throws CF error

Another in the long list of new things in ColdFusion 8 is a new function called ArrayIsDefined. This will allow you to check to see if an array element is defined.

However, I ran into an issue with it that seems kind of odd. If your array has 5 elements and you try to see if array element 6 is defined ColdFusion will throw an error.


view plain print about
1<CFLOOP INDEX="i" FROM="1" TO="5">
2    <CFSET testArray[i] = i>
7    #arrayLen(testArray)#<BR>
8    #ArrayIsDefined(testArray, 6)#

Error: Cannot access array element at position 6. The array has 5 indexes. Valid positions are from 1 to 5.

The error states that the array has a length of 5 and it can't access element 6. Seems a little strange that the CF error tells me what the function should have.

The only work around is to check the length of the array before you check to see if the element exists. Hopefully this will be fixed in a future release.

Till next time...


Previous Entries / More Entries