- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
D'oh!
Admin
Sorry ... I'm only a product of my experience, which has been that all database involvement through an application happens via stored procedures. How else can you control security at the action level?
Admin
on
Rails
That was my first thought, although I've never used it.
Admin
Logo. Logo is RAD.
Admin
YOU GOT SERVED!
...to be serious for a moment, I think the mistake was in saying "real web programming language" at all. IMO, ColdFusion looks more like a "templating language". It's advanced as those go, yes, but you can't expect calling an XML-based language a "programming language" to be taken seriously.
Admin
If you're using SQL Server, the difference in execution time is true for older versions (pre-7.0 I believe). In current versions the execution plan is cached for ad-hoc queries, almost eliminating the difference in execution time.
If you're performing a "bulk insert" without using the bulk insert command (most DBA's will disable this because it places a lock on the entire table) by repeatedly calling INSERT, it would be more efficient to pass the entire SQL text than to iteratively call a stored procedure.
To me, the benefit comes in having all direct table access logic separated from the code. If something needs to be changed in a SQL script, only the stored procedure needs to be deployed. Also, if you're lucky enough to have no exceptions that require straight SQL, you can grant users only execute permissions to the stored procedures, so there's no ad-hoc queries that lock important tables or perform data manipulation that you haven't explicitly allowed. In a word, abstraction.
To wrap it up, if you need to find out which queries access a specific table (because you're about to add a required column, or whatever reason) you just need to grep the directory(ies) that contain the stored procedure scripts. You can also have multiple applications that use the same stored procedures, and for some reason it's not practical for these apps to use the same data access layer.
Admin
Or at least the ones that were rich enough to make it through the depression
Admin
Or, if you're using SQL Server, you can use sp_depends, which will tell you about ALL procs hitting a particular table regardless of where their create scripts are.
Admin
SERENITY NOW!
Admin
Exactly, no one platform is the most elegant in all situations.
Admin
Ruby and just about any other thing on Rails.
dZ.
Admin
Admin
I'M NOT SHOELESS! YOU'RE SHOELESS!!!
-dZ.
Admin
Pretty much.
Admin
I was a jsp/servlet programmer, I changed jobs and was forced to use ColdFusion and hated it (luckily I'm back to servlets/portlets). It did allow developers to create apps quickly but it led to badly designed apps. Basically, I would describe CF as a set of jsp tags in a fancy editor. Now that JSTL (and many other tag libs) exists and the java editors can use them effectively, I don't see any advantages of CF. The makers have done a lot of work to integrate it with other languages/platforms etc but this just convinces me that they don't see any value in their product either.
My 2 cents, based upon many years exp in both.PS, when I refer to jsp apps, I assume they are actually true MVC apps that use servlets, jsps, tag libs etc..
Admin
I apologize in advance for the shameless plug, but you might want to read this:
http://weblogs.sqlteam.com/jeffs/archive/2006/07/21/10728.aspx
Please note that the point of the article is *not* to avoid stored procedures, but rather how to correctly use parameters to not only avoid sql injection but to avoid other issues that arise when you concatenate SQL statements and input all into 1 big string to execute.
Stored procs, IMHO, are the way to go, but even if you don't use them, you should never need to escape any user input when using a database library that supports parameterized queries.
Admin
sp_depends is OK for a quick glimpse but sysdepends can get out of sync. For example if your change management team deploys a proc before a table, they get a warning that the procedure is applied but sysdepends has not been updated.
Admin
I have no idea how you guys go from this to a giant discussion about SQL-injection attacks and the like, but really, the only impression that I get from this line of code is that whoever wrote it doens't bother to look at the bigger picture at times, and prefers to write a quick work-around, rather than an all encompassing solution, resulting in a lot of single use code that could be shrunk down to a couple well-writen methods.
Admin
Admin
In our environment all the queries are inside cffunctions as we separate the data layer, and therefore it's a working alternative to cfqueryparam.
Val works for numbers. For strings you would use single quotes inside the cfquery, and all other single quotes are automatically escaped. I dare you to show me a piece of code that does sql injection using strings.
We don't use dates, so I'm not sure whether or not that needs to be cfqueryparam'ed.
So stop with the name calling, crawl out from your parents' basement, and get a life.
Admin
The whole point is that it lets you do the 80% of stuff you need very easily. For the other 20%, you can jump to java (or get someone else's extension written in java or c++).
And I do believe there is a way to manage threads now using event gateways, but I haven't played around with it yet.
Admin
Don't know if I would call ColdFusion a "real web programming language", maybe a "real scripting language" (kind of like ASP was a "real useful language").
The best way of doing it (if you are going to ignore parameterised queries and escaping) is to run all the queries via an account that has minimum necessary priveleges (i.e. SELECT on only the necessary tables), but the best defence is defense in depth so applying all of the approaches mentioned is really the only true "best way".
=)
Admin
And the Jaffa. In fact, most extra-terrestrials wont be able to use that system.
Admin
It's about time to create a new mascot for kids: SQL Injection Panda.
Admin
ASP & PHP
I can develop apps 20 times faster in either than in Cold Fusion
'Course, I've never used Cold Fusion. Nor do I give a rats ass if something is buzzword-compliant ('RAD') or not.
Admin
I don't know how you keep your stored procs in directorys (maybe on mysql), but we use sql server, and it's hell managing stored procs. That's why we put everything in CFC's now (ColdFusion Components, basically classes), and all the db access happens through there. If I need to see what method accesses a certain table, I can just do a search from eclipse, and can even do a replace all in one place. And the code gets put into subversion and gets deployed when it needs to get deployed.
Stored procs are a pain. If there was an easy way to have them in source control, maybe I'd use them more, but in a web environment, where you don't necessarily care about fine grained permissions to stored procs, I much prefer to have them in my code (in a separate data layer of course).
Admin
In my databases there are no such things as parameterized queries (BTW not paramaterized) . If a front-end developer wants to use them they will have to find a new gig. Might as well give them a license to run dynamic SQL...
ha ha ha
BTW I also pronounce them DAAT - A - BASES not DAHT-A-BASES.
Take that! You should really take a valium rather then let a post bother you so much. You also probably yell at traffic.
Admin
Wikipedia wrong? Somebody stop the presses!
I had to get taxpayer identification numbers for my kids. Taxpayer identification number are like social security numbers for non-residents who have to pay taxes or be declared as dependants by other tax payers, and they are designed to be entered into forms that require a SSN, and follow the same numbering conventions. My daughters' TINs started in the 970s.
Admin
Ruby on Rails is 3 degrees RADer than CF, and even ASP.NET is RADer by a factor of two. I think you need to learn how to quantify RADness first, then you can make statements on how RAD something is. Do a google on RAD quantifying techniques for programming languages, you'll find the current preferred method is the "Web2.0ifizationer" as opposed to the now old "ScriptKiddie1337nessFinder".
Oh... wait... you meant rapid application development, not "cool" nifty trend.... my bad lol
Admin
I've looked in to it. eh, nothing special that cant be done in any other language. I really dont get the over-zealousness of it's deciples one the net. It's practically cult-like.
Admin
Those number's aren't SSN's but are Temporary ID numbers assigned by DoD and not by SSA.
Admin
Were people actually issued those SSNs? Or is this just an internal policy for dealing with record keeping?
Just 'cause you refered to these people by numbers that were in an SSN format at work, doesn't mean that those people were actually issued those SSNs. So said 800 SSNs still wouldn't qualify as valid.
Looks like mattwho just confirmed my suspicions
Admin
We keep the scripts in VSS (soon Telelogic) and check them out to a local working directory. Open the script in query analyzer, make the edits, apply, until you're satisfied. Then check it back in, capture the version # of the script, and send that info off in the deployment instructions.
Admin
"Currently, a valid SSN cannot have the first three digits (the area number) above 772, the highest area number which the Social Security Administration has allocated."
"Either wikipedia's dead wrong, or someone was feeding your system invalid SSNs"
Admin
This comment is majorly off topic, but this reminds me of HaXml, which is an XML processing library for Haskell. You can use it to transform XML, as in XSLT, only you're not limited by the fake languageness of XSLT. Anyways, the basic idea behind HaXml is that you use filters, which are functions mapping an XML node to other XML nodes, and combinators, which combine these filters in various ways. One of these combinators composes two filters, feeding the results of one filter into another filter. Because filters take a single node as input and return a lit of nodes, the standard Haskell composition operator doesn't suffice. Instead, you need an operator that calls the second filter on each of the results of the first filter. Borrowing from the mathematical composition notation, which is a little circle, the HaXml people decided to use the o for an operator. To use a function as an infix operator in Haskell, you surround it by backquotes (take that, lisp!). Thus
filter1
ofilter2ofilter3It's called "Irish composition".
Admin
Thank you! I know other people have picked up the ball on this; but, it's really the best laugh I've gotten out of the forum in a week. Too bad I had a mouth full of coffee.
The best part is where you go from calling it a "real web programming language" directly into explaining how it shields the developer from actually having to understand development.
Brilliant!
Admin
I'm so beyond RAD it's ridiculous. I now evaluate development platforms in terms of COOL (Compliance with Object-Oriented Languages) and DOPE (Design-Oriented Platform Extensions)
Admin
Since when do stored procedures prevent SQL injection attacks?
You still have to properly escape or parameterize your queries. Whether they call a stored procedure or not is 100% immaterial.
<font size="1">I dance the captcha (foxtrot).</font>
Admin
I think this was the biggest problem I found when tried programming in coldfusion (this was about 2.5 years ago). There are multiple ways to access the value of a variable, but certain ones are only available in certain contexts. Also, some of the methods seem grossly verbose.
Also, I found that there were several tags that served essentially the same purpose, but had different limitations to how they could be nested. Although it was all well documented, it was unintuitive and often seemed to lack any underlying logic.
Admin
hehe anonymous doesn't realize ColdFusion the web application shit is just as functional as the other ColdFusion
ColdFusion is a clusterfuck of shit with no redeeming value what-so-ever
if you want to use java server pages, use java server pages, not java-server-pages-lite (aka Coldfusion)
either way - JSP and CFM are 100% lossage
Admin
Only if you are calling your procs by dynamically concatenating an EXEC string, which is a really bad idea.
Admin
I know many instances of SQL injections via strings *cough*lazy PHP programmers who don't use mysql_escape_string*cough* - however I am not allowed to show you the code snippets
i'm an agressive sql-injection killer whenever I pickup maintainership of a php application.
btw you started out your entire "CFM IS GREAT!" with a lie about "cfm automatically.. blah blah" bullshit
escaping php values in php? two functions - mysql_escape_string() not binary safe, mysql_real_escape_string() binary safe
sounds like you have a lot of munging to do in CFM to figure out your context crap
CFM = slow, shitty, crap
Admin
Huh. I thought I was making a joke. I'm not from the US, so I don't see a lot of SSN. Come to think of it, I think that the Woolworth's example is the only one I've seen.
Admin
OK, I can't decide what's funnier: the fact that ColdFusion has the name of one of the biggest scientific hoaxes ever, and the name never changed, or the fact that someone's trying to argue its merits on a site like this. And I write using ColdFusion (and other things -- that's key. Usually zealotry comes in proportion to how narrow a person's experience is). Thanks for the laugh!
Admin
There's many pros/cons about stored procedures but having them in source control should not be an issue at all.
Admin
http://www.eff.org/Privacy/ID_SSN_fingerprinting/ssn_structure.article
Another article stating SSNs starting with 800 are fake. I don't doubt that many organizations use these to identify those without SSNs, but that doesn't make them valid.
If you have to feed your software SSNs for every customer, your software is flawed.
Admin
Lets see... How about a small example. Get a list of users from the database and output firstname, lastname and username. Here is the code in CF
<cfquery name="qryUsers" datasource="#request.mydsn#">
select firstname, lastname, username from users
</cfquery>
<cfoutput query="#qryUsers#">#firstName# #lastName# #userName#<br></cfoutput>
Now lets see how long and convoluted a similar example in php/asp is going to be.
Admin
Good point! Why validate anything? Just 'cause the big 4 major credit card companies use the "Mod 10" hashing algorithm doesn't mean you shouldn't accept cards that don't pass the check!
Hell, they don't allow *letters* in SSN numbers yet, but they might someday, so let's let those in too! And maybe they'll add more digits later!
Don't validate data! It's more future proof!
In a well-written system, there's a single "ValidateSSN" function for this sort of thing. If anything changes, there's a single place to update the code.
Admin
Drop/Create means you have to reapply permissions. If your DBA is an arrogant ass (a lot are) you might want to try this as a practical joke.
Admin
When I did a lot of web application work I always used apostrophe's in every text box I could. I still do test things this way - I guess old habit's die hard :-)