ColdFusion Tips and Tutorials

I. Comments:

Thanks for those who did send emails in. I still have not found a house
so things are very hectic for me. Continue to send me emails to remind
me there are people on the other end recieving and reading what I send.
Thanks!

Keep Coding,
Nathan Stanford
http://www.cftipsplus.com

If you have suggestions for articles send them to us.
If you would like to write for cftipsplus.com
send us an email to:

NathanS<at>nsnd.com

IF YOU WANT TO BE AN AUTHOR SEND IN YOUR COLDFUSION TIPS.

Remember this is a great way to get your name known in the
ColdFusion Community.

SQL is somewhat standard across database engines. However, there are differences that crop up even with common operations such as a search for data similar to a given input. Some query constructs will work with one database engine but not another. Sometimes in collaboration with other individuals, you may have several database engines that are used for development and one that is used for production. So how do you tell your ColdFusion code which database engine is being used in order to have it supply the correct syntax for a given database when those exceptions occur? Are you using MySQL? Microsoft SQL? Microsoft Access? This tip will show a way.

Consider Harmless Questions
The key is to try a harmless operation that works on one database but not another and learn from its success or failure. For example, you can ask MySQL to list current variables. You can declare variables in Microsoft SQL (MSSQL). Just try it.

Code
Put this code in SqlEngine.cfm after changing the datasource to one that's on your machine. Start by assuming that MySQL is in use. Within a try-catch combination, ask the database to "show variables". If this fails, assume that MSSQL is in use. Then within another try-catch combination, try to define a variable. If this fails, assume that Access is in use.

<cfset SqlEngine="MySQL">
<cftry>
<cfquery name="checkMySql" datasource="context">
show variables
</cfquery>
<cfcatch>
<cfset SqlEngine="MSSQL">
</cfcatch>
</cftry>
<cfif SqlEngine is "MSSQL">
<cftry>
<cfquery name="checkEngine" datasource="context">
declare @x int
</cfquery>
<cfcatch>
<cfset SqlEngine="Access">
</cfcatch>
</cftry>
</cfif>
<cfoutput>The DB engine in use is #SqlEngine#</cfoutput>

Try it; Integrate it
Browse SqlEngine.cfm. If you've named a valid datasource and are using one of these engines, you'll get a valid answer.
To integrate this with your code, have it check the engine at login and then store the result for later use. You might put the answer in a table you plan to read every time (such as in a table for client variables). (For a simple query, you don't need to know which engine is in use, so storing this information in a database isn't necessarily dumb.) You might store it in a memory variable and refresh it if the variable doesn't exist.

I store it in a session variable; because, I copy all session variables to request variables at the beginning of each page anyway. Strictly speaking, it would be more logical (if less handy for me) to store it in the application or server scope.

The important thing is to make the check, store the result, and use it when needed.

=Marty=

WEBSITE SECURITY
You may believe that website security is the soul responsibility of the
Server Administrators, but as Microsoft has amply demonstrated, this is not
true. If you are a Webmaster or an Internet programmer of any sort,
security must be foremost in your thoughts.

Let's look at one of the easiest ways to crack a website. One that should
NEVER be able to happen but does all the time. I can find at least one
website within a matter of hours that has this security hole in it.

The failure to have a default webpage. Now most hosting services should
have the ability to browse the folders turned off, but you would be amazed
how many don't. What does this mean and how does a cracker utilize it?

If I come to your site and find a graphic I can right click on it (even if
you have the JavaScript to block right clicks I can do it) and look at the
properties. Here I will see something like
http://www.yoursite.com/graphics/mypicture.jpg

Now I can just cut the graphic name off and be left with
http://www.yoursite.com/graphics and see what happens. IF browsing is
turned off, I will get an error page. IF not, and you have done nothing
about the problem, I will be looking at your directory listing. Okay, so it
is just a bunch of graphics. My next move is to try something like
http://www.yoursite/database. Did you leave THIS unguarded? Does it
contain personal information about people?

So always always always, even if the host says they have browse turned off,
put in a default page. Every folder. Even if all it does is redirect them
to the proper page.

How about scripts and programs for the website? What can be done for
security there?

As Microsoft is finding out, one of the first things to do is always know
what format the incoming data will be in. If you are asking for a phone
number, why use a text box with 50 characters? An earlier article discussed
this issue of MaxLength and how to control it. With Microsoft, they did not
control the data input and crackers found out how to send in long strings
and overflow the buffer and cause the rest to execute giving them control of
the server. For a website, hackers have been known to put in JavaScript and
the page executes giving out vital information.

Know what is coming in. Use JavaScript to check data integrity before a
form ever gets submitted and then check it again to be sure it is what you
expected before doing anything with it.

Forms are a great big hole in your security because they accept data and
send it along to the server for processing. How do you know where that data
is coming from on the processing side?
Search engines started the trend of stopping automatic submissions by using
a random series of letters and numbers in graphic form that the user had to
fill in to a box. This is one way. There are other ways that are a little
less intrusive on the user, however.

One of the best ways is to know WHERE the data is coming from exactly. Is
the form data coming from the form on your website or from an outside
source? Using something like the REFERER CGI variable to know where the
form is coming from is a good way to stop outside submissions.

Another way is to use session variables. Does the data have a session ID?
No? Dump it.

Protect your JavaScripts by putting them on a separate page and then calling
them on your main page. This also unclutters your pages and makes the
scripts portable.

There are many other ways to handle basic security on a website. It is up
to us programmers to make sure we don't create security holes that could
lead to the theft of a database full of credit card numbers.