Recent Articles SQL Injection Finder Tool Running a SQL This handy newly updated tool from the Code Plex can help parse your IIS Logs looking for the standard command sequences that indicate someone is trying to do an SQL injection attack against your... Tracking ColdFusion Problems With SQL Server Trace Running a SQL Trace in the SQL Server Profiler can be a great way to track down performance problems in your ColdFusion application. However if you have tried to run one, you probably didn't see the actualy SQL queries... SQL Ninja Hacking Tool There is a certain amount of respect earned when someone makes a hacking tool that not only does what it is supposed to do, but does it elegantly as well. While this tool is aimed at professional pen testers, this is... OSS Customer Categorization I've been thinking about this statement from Sun/MySQL's Marten Mickos: "There's a difference between organizations that have more time than money and organizations that have more money than time." Open Community And Closed Source Vendors InfoWorld blogger Sean McCown at Database Underground wrote about a key difference between SQL Server & Oracle: "The answer is simple information. MS has built such a strong community and its members... SolidDB For MySQL Development As Matt reported last week, IBM announced that it was bowing out of the solidDB for MySQL project. "Those of you who know Solid's history know that Solid has long been a leader in the area of in-memory...

07.29.08 Prevent SQL Injections With CFQUERYPARAM By Pete Freitag If you haven't been using the cfqueryparam tag, chances are you had a baptism by fire this week. As you may have heard, lots of ColdFusion powered sites were targeted by hackers using SQL Injection this week. Fortunately SQL Injection is very easy to prevent in CFML using the cfqueryparam tag, and many people have pointed out some of the simple use cases for the tag. But there are a few cases where you can't use the cfqueryparam tag. In those cases, ColdFusion might throw an exception that looks like this: [Macromedia][SQLServer JDBC Driver][SQLServer]Incorrect syntax near '@P1'. [Macromedia][SQLServer JDBC Driver][SQLServer]Statement(s) could not be prepared. Let's take a look at some of these special cases, and how to get around them: SELECT TOP If you are passing a variable into a SELECT TOP statement, you can't use cfqueryparam, instead consider using the Val function. This is a really handy function that will return 0 whenever it gets a non-numeric value, and will convert decimal values into integers. SELECT TOP #Val(url.max_rows)# first_name FROM people ORDER BY When attempting to use a cfqueryparam tag in the ORDER BY statement you might receive an error such as: [Macromedia][SQLServer JDBC Driver][SQLServer]The SELECT item identified by the ORDER BY number 1 contains a variable as part of the expression identifying a column position. Variables are only allowed when ordering by an expression referencing a column name. A good way to get around this limitation is to use the ListFindNoCase function, to limit the sortable column names, for example: <cfset sortable_column_list = "age,height,weight,first_name"> <cfquery ...>   SELECT first_name, age, height, weight   FROM people   ORDER BY <cfif ListFindNoCase(sortable_column_list, url.sort_column)>#url.sort_column#<cfelse>first_name</cfif> </cfquery> Passing Value Lists using IN Continue reading this article. About the Author: Pete Freitag (http://www.petefreitag.com/) is a software engineer, and web developer located in central new york. Pete specializes in the HTTP protocol, web services, xml, java, and coldfusion. In 2003 Pete published the ColdFusion MX Developers Cookbook with SAMs Publishing. Pete owns a Firm called Foundeo (http://foundeo.com/) that specializes in Web Consulting, and Products for Web Developers.

SQLproNews is brought to you by: SecurityConfig.com NetworkingFiles.com NetworkNewz.com WebProASP.com DatabaseProNews.com SQLProNews.com ITcertificationNews.com SysAdminNews.com SQLproNews.com WirelessProNews.com CProgrammingTrends.com SysAdminNews.com About SQLproNews SQLproNews is a collection of up to date tutorials and insightful articles designed to help SQL users of any skill level implement successful SQL systems and practices. SQL Strategies and Tactics for Business

-- SQLProNews is an iEntry, Inc. publication -- iEntry, Inc. 2549 Richmond Rd. Lexington KY, 40509 2008 iEntry, Inc.  All Rights Reserved  Privacy Policy  Legal advertising info | news headlines | free newsletters | comments/feedback | submit article