Blog

In the beginning was assembly, and it was with the programmer and it was good. Through it all programs that have been made were written, without it no programs were written. The compiler shines in the darkness, but the darkness has not understood it. Then came a design pattern sent by Alan Kay, its name was OOP. The other day, someone asked me a really dumb question. "Why are there so many programming languages? Why don't you just all use one?" Ok, that was two questions, and they aren't really dumb, but I felt kinda' dumb trying to answer them.

Here's a couple functions you've probably rarely used in ColdFusion: bitand(), bitor(), bitnot(), bitxor() etc. Frankly I've rarely needed any of them, but this week I did find a clever use for bitand(). I was messing around with a simple database-driven calendar I put on my church's website because I promised them a reoccurring event feature. I needed a simple way to store 12 "monthly" checkboxes without using 12 columns in the database.

I have confirmed at least 16,000 individual cfquery tags which have been protected from SQL injection vulnerabilities by having cfqueryparam added to them.

I ran into an interesting behavior with MySQL this week. I was helping someone speed up a slow page and a sizable increase in performance was achieved by simply re-arranging the SQL statement. The page was calling a SQL statement inside of a loop-- probably around 150 times on a page load. My initial idea (and still the best long-term one I think) was to gather all the information from the database in a single cfquery and not hit the database over and over. That approach would have required quite a lot more refactoring of code, so first we tried to squeeze some better performance out of the SQL already being called.

This is a fun project I put out there a while back. I recently went through and optimized the performance a bit so I could officially blog it. It is an implementation of the Levenshtein Distance Algorithm in CFScript that I based off of a C# version written by Siderite Zackwehdex. Finding the "distance" between two strings is a means of comparing two strings to see how similar they both are. This can be done by finding the Longest Common String or LCS. It is as much a brain bender as it can be occasionally useful.

I generally don't care to write about topics that have already had the stuffing blogged out of them. However, I've still seen some of these questions floating around and I figure it never hurts to have more than one place on the 'net talking about it. The two things I wanted to cover real quick are how cfqueryparam may (or may not) enhance the performance of your queries. Also, when does criteria in a query NOT need a cfqueryparam.

Today is the day. Unless you can bet money that every cfquery in your application is completely safe from SQL inject attacks you need to stop what you are doing and scan your sites. I have reviewed two cfqueryparam scanners to find vulnerable queries and one of them will even fix 95% of your code for you! If your boss asks what you are doing, tell him you found a security vulnerability being exploited and it needs to be closed. He'll understand.

This little guy isn't actually part of w3c spec, but it is supported by IE and Firefox and can be very handy. This method is inherited by any visible DOM element and when it is called will cause the page/frame/div to scroll until that element is in view.

Hear Ye, Hear Ye! I hereby declare Friday, July 25th as the first ever International Operation cf_SQLprotect. In response to the massive amount of SQL injection attacks in the past few weeks I want the ColdFusion community to be doing our darndest to keep our applications safe from harm. This Friday, I want everyone who has a site big or small, well known or obscure, to join the world and scan their code base for vulnerable queries and fix them.

Tuesday I blogged Peter Boughton's QueryParam Scanner from RiaForge. Today I'm taking a look at Daryl Banttari's Query Parameterizing tool. Daryl's scanner has an interesting twist. Not only does it find unparameterized queries, it will automatically FIX them FOR you! Daryl Banttari works for WebApper and is part of the genius behind SeeFusion