Archive for June, 2008

ColdFusion Data Type Mappings to MySQL Data Type(s) 0

Posted June 13, 2008

To secure your CFML it is recommended that you use the cfqueryparam tag within every cfquery tag. You can optimize this process by specifying the CFSQLType attribute. But what about when you want to use a MySQL Database?

The LiveDocs cfqueryparam topic does not include the mapping of ColdFusion SQL data types for MySQL in the usage table, but a helpful comment attached to the doc gives some insight. CF_SQL_BIGINT | bigint CF_SQL_BINARY | binary CF_SQL_BIT | bit (MySQL 5) CF_SQL_BLOB | blob, tinyblob, mediumblob CF_SQL_CJAR | char CF_SQL_DATE | date CF_SQL_DECIMAL | decimal CF_SQL_DOUBLE | double CF_SQL_FLOAT | float CF_SQL_INTEGER | mediumint, int CF_SQL_REAL | real CF_SQL_SMALLINT | smallint CF_SQL_TIME | time CF_SQL_TIMESTAMP | datetime, timestamp CF_SQL_TINYINT | tinyint CF_SQL_VARBINARY | varbinary CF_SQL_VARCHAR | varchar, text, longtext, mediumtext

Added SQL Injection attack protection with Rewrite Rules 5

Posted June 7, 2008

Sure you can protect against SQL injection attacks at the code layer, but what happens when hackers find something you missed? With Rewrite Rules, using mod_rewrite on apache or ISAPI_Rewrite for IIS, you can add rules to ignore URL based SQL Injection all together. Below is and example of some basic protection you can add.

In ISAPI_Rewrite

RewriteRule .*DECLARE.* /security-violation.htm [I]
RewriteRule .*NVARCHAR.* /security-violation.htm [I]
RewriteRule .*INSERT .* /security-violation.htm [I]
RewriteRule .*INSERT %20.* /security-violation.htm [I]
RewriteRule .* xp_.* /security-violation.htm [I]
RewriteRule .*%20xp_.* /security-violation.htm [I]
RewriteRule .*%20@.* /security-violation.htm [I]
RewriteRule .* @.* /security-violation.htm [I]
RewriteRule .*@%20.* /security-violation.htm [I]
RewriteRule .*@ .* /security-violation.htm [I]
RewriteRule .*';* /security-violation.htm [I]
RewriteRule .*EXEC\(@.* /security-violation.htm [I]
RewriteRule .*sp_password.* /security-violation.htm [I]
RewriteRule /security-violation.htm /security.cfm[I,L]

In mod_rewrite

RewriteRule .*DECLARE.* /security-violation.htm [NC]
RewriteRule .*NVARCHAR.* /security-violation.htm [NC]
RewriteRule .*INSERT .* /security-violation.htm [NC]
RewriteRule .*INSERT %20.* /security-violation.htm [NC]
RewriteRule .* xp_.* /security-violation.htm [NC]
RewriteRule .*%20xp_.* /security-violation.htm [NC]
RewriteRule .*%20@.* /security-violation.htm [NC]
RewriteRule .* @.* /security-violation.htm [NC]
RewriteRule .*@%20.* /security-violation.htm [NC]
RewriteRule .*@ .* /security-violation.htm [NC]
RewriteRule .*';* /security-violation.htm [NC]
RewriteRule .*EXEC\(@.* /security-violation.htm [NC]
RewriteRule .*sp_password.* /security-violation.htm [NC]
RewriteRule /security-violation.htm /security.cfm[NC,L]

Add security.cfm to your webroot:

<cfoutput>
 
<h1>
HACK ATTEMPT LOGGED FROM IP: #remote_addr# 
</h1>
 
#DateFormat(Now(), "MM-DD-YYYY")# @ #TimeFormat(Now(), "HH:MM:SS")#
 
#script_name#&#query_string#
 
</cfoutput>
 
<cfmail to="Sysadmin" from="Your Website" subject="HACK ATTEMPT FROM IP: #remote_addr#">
 
HACK ATTEMPT RECORDED:
 
#DateFormat(Now(), "MM-DD-YYYY")# @ #TimeFormat(Now(), "HH:MM:SS")#
 
IP: #remote_addr#
 
ATTEMPT:
 
http://#server_name##script_name#&#query_string#
</cfmail>
<cfabort>

Fix: Coldbox CCTApp Error: The method init was not found in component transfer.com.TransferObject. 0

Posted June 4, 2008

I have been looking to get started with ColdBox, Coldspring and Transfer for quite some time and I figured now would be as good a time as any. However when I tried to deploy the CCTApp I had a bit of trouble with folder permissions. Specifically I needed to chmod the /model/definitions folder to 777 so the app could write to the directory.

Once the app could preform writes to the directory I had some random bowser lock-up where the page stopped loading… I reinitialized the application after a failed attempt at a page refresh and was greeted by a new error.

Being new to ColdBox and Transfer I had some trouble trying to locate a fix to this, however, I was able to finally track down the information I needed via the Transfer FAQ.

Generally this is caused because you haven't deleted your .transfer files that were generated by the previous version of Transfer.

Whenever you update Transfer it is important that you delete the previous version's .transfer files, as they may contain code that won't work with this version.

Removing the .transfer files from the /model/definitions had me back in action.

My issues with the sample application aside; I really have to hand it to the ColdBox team. The documentation Rocks! And the sheer number of sample applications really makes my transition from Fusebox to ColdBox that much simpler.

Sun xVM Server comming this summer! 0

Posted June 3, 2008

So you think xVM VirtualBox rocks? Just wait till you see xVM Server in action!

The xVM Server Project is a data-center grade, bare-metal
virtualization engine that provides hypervisor lifecycle management for
servers. It is designed to be a cross-platform, high efficiency, open
source hypervisor capable of hosting multiple guest operating systems
(including Solaris, Windows, and Linux), with advanced CPU and memory
handling capabilities. The server is being built using technology from
the Xen open source project as well as Sun™ Logical Domains (LDOMS).

Keep your browsers tuned to xvmserver.org, the site is set to launch this summer. For now you can check out a UI sneak peak and a short overview of xVM Server over at the OpenxVM.org’s OpenxVM at a Glance page.

Get Adobe Flash playerPlugin by wpburn.com wordpress themes