To secure your CFML it is recommended that you use the cfqueryparam tag within every cfquery tag. You can optimize this process by specifying the CFSQLType attribute. But what about when you want to use a MySQL Database?

The LiveDocs cfqueryparam topic does not include the mapping of ColdFusion SQL data types for MySQL in the usage table, but a helpful comment attached to the doc gives some insight.

ColdFusion Data Type Mappings to MySQL Data Type(s):

CF_SQL_BIGINT | bigint
CF_SQL_BINARY | binary
CF_SQL_BIT | bit (MySQL 5)
CF_SQL_BLOB | blob, tinyblob, mediumblob
CF_SQL_CJAR | char
CF_SQL_DATE | date
CF_SQL_DECIMAL | decimal
CF_SQL_DOUBLE | double
CF_SQL_FLOAT | float
CF_SQL_INTEGER | mediumint, int
CF_SQL_REAL | real
CF_SQL_SMALLINT | smallint
CF_SQL_TIME | time
CF_SQL_TIMESTAMP | datetime, timestamp
CF_SQL_TINYINT | tinyint
CF_SQL_VARBINARY | varbinary
CF_SQL_VARCHAR | varchar, text, longtext, mediumtext

Sure you can protect against SQL injection attacks at the code layer, but what happens when hackers find something you missed? With Rewrite Rules, using mod_rewrite on apache or ISAPI_Rewrite for IIS, you can add rules to ignore URL based SQL Injection all together. Below is and example of some basic protection you can add.

In ISAPI_Rewrite

RewriteRule .*DECLARE.* /security-violation.htm [I]
RewriteRule .*NVARCHAR.* /security-violation.htm [I]
RewriteRule .*INSERT .* /security-violation.htm [I]
RewriteRule .*INSERT %20.* /security-violation.htm [I]
RewriteRule .* xp_.* /security-violation.htm [I]
RewriteRule .*%20xp_.* /security-violation.htm [I]
RewriteRule .*%20@.* /security-violation.htm [I]
RewriteRule .* @.* /security-violation.htm [I]
RewriteRule .*@%20.* /security-violation.htm [I]
RewriteRule .*@ .* /security-violation.htm [I]
RewriteRule .*';* /security-violation.htm [I]
RewriteRule .*EXEC\(@.* /security-violation.htm [I]
RewriteRule .*sp_password.* /security-violation.htm [I]
RewriteRule /security-violation.htm /security.cfm[I,L]

In mod_rewrite

RewriteRule .*DECLARE.* /security-violation.htm [NC]
RewriteRule .*NVARCHAR.* /security-violation.htm [NC]
RewriteRule .*INSERT .* /security-violation.htm [NC]
RewriteRule .*INSERT %20.* /security-violation.htm [NC]
RewriteRule .* xp_.* /security-violation.htm [NC]
RewriteRule .*%20xp_.* /security-violation.htm [NC]
RewriteRule .*%20@.* /security-violation.htm [NC]
RewriteRule .* @.* /security-violation.htm [NC]
RewriteRule .*@%20.* /security-violation.htm [NC]
RewriteRule .*@ .* /security-violation.htm [NC]
RewriteRule .*';* /security-violation.htm [NC]
RewriteRule .*EXEC\(@.* /security-violation.htm [NC]
RewriteRule .*sp_password.* /security-violation.htm [NC]
RewriteRule /security-violation.htm /security.cfm[NC,L]

Add security.cfm to your webroot:

<cfoutput>
 
<h1>
HACK ATTEMPT LOGGED FROM IP: #remote_addr# 
</h1>
 
#DateFormat(Now(), "MM-DD-YYYY")# @ #TimeFormat(Now(), "HH:MM:SS")#
 
#script_name#&#query_string#
 
</cfoutput>
 
<cfmail to="Sysadmin" from="Your Website" subject="HACK ATTEMPT FROM IP: #remote_addr#">
 
HACK ATTEMPT RECORDED:
 
#DateFormat(Now(), "MM-DD-YYYY")# @ #TimeFormat(Now(), "HH:MM:SS")#
 
IP: #remote_addr#
 
ATTEMPT:
 
http://#server_name##script_name#&#query_string#
</cfmail>
<cfabort>

I have been looking to get started with ColdBox, Coldspring and Transfer for quite some time and I figured now would be as good a time as any. However when I tried to deploy the CCTApp I had a bit of trouble with folder permissions. Specifically I needed to chmod the /model/definitions folder to 777 so the app could write to the directory.

Once the app could preform writes to the directory I had some random bowser lock-up where the page stopped loading… I reinitialized the application after a failed attempt at a page refresh and was greeted by a new error.

Error Type: Application : [N/A]

Error Messages: The method init was not found in component transfer.com.TransferObject. Ensure that the method is defined, and that it is spelled correctly.

Being new to ColdBox and Transfer I had some trouble trying to locate a fix to this, however, I was able to finally track down the information I needed via the Transfer FAQ.

Generally this is caused because you haven’t deleted your .transfer files that were generated by the previous version of Transfer.

Whenever you update Transfer it is important that you delete the previous version’s .transfer files, as they may contain code that won’t work with this version.

Removing the .transfer files from the /model/definitions had me back in action.

My issues with the sample application aside; I really have to hand it to the ColdBox team. The documentation Rocks! And the sheer number of sample applications really makes my transition from Fusebox to ColdBox that much simpler.

So you think xVM VirtualBox rocks? Just wait till you see xVM Server in action!

The xVM Server Project is a data-center grade, bare-metal
virtualization engine that provides hypervisor lifecycle management for
servers. It is designed to be a cross-platform, high efficiency, open
source hypervisor capable of hosting multiple guest operating systems
(including Solaris, Windows, and Linux), with advanced CPU and memory
handling capabilities. The server is being built using technology from
the Xen open source project as well as Sun™ Logical Domains (LDOMS).

Keep your browsers tuned to xvmserver.org, the site is set to launch this summer. For now you can check out a UI sneak peak and a short overview of xVM Server over at the OpenxVM.org’s OpenxVM at a Glance page.