Adobe Declares, "Water is Wet" and Other Obvious Things
Two days ago security bulletin from Adobe indicated that Dreamweaver "server behaviors" that generate query code will leave you vulnerable to SQL injection attacks. It went on to say that the sky is blue, politicians are dishonest and Michael Jackson is a little odd. This is not news to anyone save Adobe. Using a wizard to generate query code is, at best, only a starting point. Server behaviors have been around for years and they have always generated lousy query code. Scrub the variables you pass to the query or use Cfqueryparam. I would add that the "work-around" example is pretty poor as well. Rather than detail it, I will refer you to Dave Carabetta's excellent blog article on the subject. The bulletin indicates upgrading to DW 8.02 will "fix" the problem. I have a feeling it will generate more code in need of a rewrite. Don't they have any actual CF programmers writing these behaviors?
3 Comments
-
Thanks for the plug. I think it's likely a result of the fact that the authors of most of these TechNotes aren't always developers....they are technical writers, which just means that they can communicate technical jargon to both a non-technical and technical audience. Unfortunately, that means best practices go out the window.
Sites to Watch
Aggregators
RSS
