ColdFusion Muse

Adobe Declares, "Water is Wet" and Other Obvious Things

Mark Kruger May 10, 2006 12:09 PM Coldfusion Security Comments (3)

Two days ago security bulletin from Adobe indicated that Dreamweaver "server behaviors" that generate query code will leave you vulnerable to SQL injection attacks. It went on to say that the sky is blue, politicians are dishonest and Michael Jackson is a little odd. This is not news to anyone save Adobe. Using a wizard to generate query code is, at best, only a starting point. Server behaviors have been around for years and they have always generated lousy query code. Scrub the variables you pass to the query or use Cfqueryparam. I would add that the "work-around" example is pretty poor as well. Rather than detail it, I will refer you to Dave Carabetta's excellent blog article on the subject. The bulletin indicates upgrading to DW 8.02 will "fix" the problem. I have a feeling it will generate more code in need of a rewrite. Don't they have any actual CF programmers writing these behaviors?

  • Share:


  • Dave Carabetta's Gravatar
    Posted By
    Dave Carabetta | 5/10/06 10:58 AM
    Thanks for the plug. I think it's likely a result of the fact that the authors of most of these TechNotes aren't always developers....they are technical writers, which just means that they can communicate technical jargon to both a non-technical and technical audience. Unfortunately, that means best practices go out the window.
  • Tariq Ahmed's Gravatar
    Posted By
    Tariq Ahmed | 5/10/06 11:38 AM
    'water is wet' - lol, nice! :)
  • Brian Kotek's Gravatar
    Posted By
    Brian Kotek | 5/10/06 1:49 PM
    But water IS wet! :-p