I have no idea when they did this, but, Google has gotten a little more intelligent yet again, this time figuring out flight searches.

Do a Google Search for new york to san francisco or dtw to lax, and you'll be prompted for dates, and will be able to click to search Expedia, Hotwire, Orbitz, and Priceline.

I was just on a web site (no, not a ColdFusion powered site, and no I will not name names) browsing for specific content. The URLs used typical name=value query string conventions, and so I changed the value to jump to the page I wanted. And I made a typo and added a character to the numeric value. The result? An invalid SQL error message.

That's bad. Very very bad. It means that I was able to create a SQL statement that was submitted to the database for processing, a SQL statement that was passed to the database as is, unchecked.

You'd think that by now we'd have learned to lock down our code so as to prevent SQL injection attacks, but apparently this is not the case. You do not know what a SQL injection attack is? Well, read on.

Consider the following simple dynamic ColdFusion query:

Here a WHERE clause is being populated dynamically using a URL parameter. This type of code is common and popular, and is often used in data drill-down interfaces. If the URL was: the resulting SQL statement would be: But what if someone tampered with that URL so that it read: Now the resulting SQL would be: And depending on the DBMS being used, you could end up executing two statements – first the SELECT, and then DELETE Customers (which would promptly delete all data from the Customers table).

Scared? You should be. SQL statements are not just used for queries. They are also used by most DBMSs to create and drop tables, create user logins, change passwords, set security levels, manage scheduled events, even creating and dropping entire databases. And whatever features are supported by your DBMS may be accessible this way.

Before I go further I must point out that this is not a ColdFusion vulnerability at all. In fact, it is not even a bug or a hole. This is truly a feature – many DBMS do indeed allow queries to contain more than a single operation, this is legal and by design.

Of course, you should always be checking parameters anyway before passing them to your DBMS. Passing client supplied data (URL parameters, FORM fields, and even cookies) through unchecked is programmatic suicide. Attacks aside, it is flat out unsafe to ever assume that data submitted by a client can be used as is.

As such, you should already be using code like this:

This single line of code will lock SQL injection attacks out. How? Think about it, SQL injection (within ColdFusion apps) is really only an issue with non textual fields. If a text value is tampered with you'll end up with tampered text, but that text will all be part of the core string (within quotes) passed as a value, and will therefore not be executed as separate statements. Numbers, on the other hand, are not enclosed within quotes, and so extraneous text can be tampered with to create an additional SQL statement. And <cfparam> can protect you.

Of course, you may want more control, in which case you could use code like this:

And as an additional line of defense you can use <cfqueryparam>, as seen here:

If the previous tampered URL was passed to the this query, the value would be rejected and an error would be thrown. The CFSQLTYPE (aside from binding variables) performs data type validation checks, and values that do not match the type are rejected. That's it, only integers allowed, and malicious tampered URL parameters are not integers.

The bottom line is that SQL injection attacks have been around for as long as dynamic SQL itself. ColdFusion has made it incredibly easy to protect yourself against such attacks. Be it <cfparam> or <cfqueryparam> or your own conditional processing, it's simple to protect yourself, and your responsibility to do so.

If you have not been paying attention to this risk, stop whatever you are doing, fire up your IDE, and do a search for every single <cfquery> in your code. Then quickly scan to find any that contain #'s in them (that are not enclosed in quotes or passed to <cfqueryparam>), and make a list of the variables used. If any of them are URL parameters or FORM fields, create a <cfparam> for each (at the top of the page, or before the <cfquery>). It's that simple. Really. There is no legitimate reason not to protect yourself, so just do it. Now! And I mean right now, before you leave for the day or take off for the holidays, and despite whatever project you are working on or deadline you are up against. No excuses (and if your boss complains about you switching gears to take care of this one, send him my way!).

Enough said! (I hope).

(UPDATED 07/24/2008)

Since this post was made, SQL injection attacks have evolved, and it is now know that even strings are vulnerable. See the more current related posts linked below.

Todd Sharp has created Genesis, a ColdFusion MX 7 Flash Forms based database query tool. This is a really nice utility, as well as a pretty cool demonstration of Flash Forms use.

Here are some questions that I received about my new MySQL Crash Course. I am posting the answers here in case anyone else has the same questions:

Does the book cover MySQL 5?

The book was written for MySQL 4.x and MySQL 5, and most of the content applies to both. However, there are chapters that are MySQL 5 specific (those that cover features new to MySQL 5, like stored procedures and triggers and views). Throughout the book, differences between MySQL 4.x and MySQL 5 are pointed out where appropriate.

I have your Sams Teach Yourself SQL in 10 Minutes, is there any value in buying this new book too?

Sure, buy lots of copies! :-) Ok, seriously ... this book is based on the TY10 SQL book, and much of the introductory content is the same (although the exact examples are different). If you learned SQL from that book then you will find much of the content in this new one to be familiar, in which case not all of this new title will be of value to you. However, there is lots of new content throughout, and several entirely new lessons, and that may indeed be of value. So, it's up to you. Obviously, this book will be more compelling to those who don't have the TY10 SQL book, but I hope that all who are interested in learning MySQL will find this new book to be of value. Oh, and we kept the cover price really low, so that should make the decision easier.

What about a Crash Course on ...?

This new book was created because my existing Sams Teach Yourself SQL in 10 Minutes cannot cover all DBMSs in as much detail as some require. Each title in the new Crash Course series concentrates on a single DBMS, thereby allowing coverage of more advanced content as well as DBMS specific material. And yes, it is a series. The MySQL title is the first to be released, and the next two titles (due out early 2006) will be on Microsoft SQL Server T-SQL and Oracle P/SQL. They may be additional tiles after those two are released, but none I can't publicly commit to yet.

Is there an electronic version of this title available?

Yes, an electronic edition has been released by Safari

My newest book, MySQL Crash Course, is now shipping. This book is based on my bestselling Sams Teach Yourself SQL in 10 Minutes, and builds on top of the lessons and structure of that book. By focusing on just MySQL, this book goes into far more detail than the SQL book, and even includes coverage of new MySQL 5 functionality (including stored procedures, triggers, and views). Details, and a chapter listing, can be found on the book page.

FusionReactor (which I first mentioned a couple of weeks ago) has been updated, and now supports stack trace even on Java 1.4.2.

MaxNOC has released (under GNU license) Looking Glass, a ColdFusion Components that can perform ping, traceroute, dig, whois, DNS lookups, and more.

Rob Mackenzie wrote to tell me about Underscore Framework, built on Fusebox basics, but enhanced to include natural URLs and simplified configuration files and more. This is based on work that Rob has been using in production systems for about two years, and he recently wrote up documentation and created examples.

Check out the new "got coldfusion?" mugs at ColdFusionGear. Thanks, Will!

Lee Asher (Expert Author) has written a story for WebProNews entitled ColdFusion: Quicker Scripting, At A Price. He seems to have gotten lots of the story right, although not entirely so. He really does not seem to have gotten the ColdFusion/Java relationship, however.

And then he makes the statement ColdFusion on the web can sometimes be unreliable and slow, mainly because it runs on a Java framework.

And ... well ... I just don't even know how to respond to that one!

CIO Magazine ran a story on Web Services last month. The story is presented as a quiz entitled "Are You Ready For Web Services?" with 12 multiple choice questions, each with answers worth from 0 to 5 points. I have issues with a few of the supposed right answers, but question 8 really irks me:

8.I plan to develop Web services in:

a. Java (5 points)

b. .Net (5 points)

c. other (such as Macromedia ColdFusion, Ruby on Rails, Ajax) (3 points)

Can anyone explain why ColdFusion based Web Services are worth less points than those written in Java, when ColdFusion Web Services are Java (built on top of Apache Axis)?

This sent to me by Russell Schneider of Super Warehouse in San Diego, CA:

Super Warehouse is a high energy and fast growing ecommerce company looking for an experienced Cold Fusion and/or Java developer with at least 3-5 years of experience. Can work remotely or on-site. Prefer fusebox experience. Will be working on our homegrown order management and content management systems. Please contact Giana and attach your resume.

Hugo Sombreireiro has written a review of ColdFusion MX 7 for SitePoint. Thanks to Casey Franklin for sending me the link.

Here is your chance to help spec what could very well be a feature in the next major ColdFusion update! Ready?

One frequent ColdFusion feature request is for Microsoft Exchange integration, and this is something we are considering for "Scorpio". Most ColdFusion use is on internal networks - intranets and portals and departmental sites. And so when you think about the types of applications being built in ColdFusion, Exchange integration actually makes a whole lot of sense.

But what does integration mean to you? What features do you need? How could you use Exchange integration from within your ColdFusion applications? Obviously, ColdFusion can send e-mail via <cfmail>, receive e-mail via <cfpop>, and access directory services via <cfldap>. But that is using Exchange, not really integrating with it. So, what else could you really use?

I have some specific ideas myself, but I am not going to share them (yet) so as to not lead the conversation. Rather, I'd like you to share your ideas and suggestions. If your organization uses Microsoft Exchange, please post your thoughts (the more detail the better).

Paul Mignard likes ColdFusion, or so it seems.

This one sent to me by James Edmunds. For all of you college football fans out there, the official Bowl Championship Series site is powered by ColdFusion MX. (I am posting this one even though, as a Brit, I still don't understand why the name "football" is used for a sport in which feet never come in contact with the ball).

CFDJ interviewed David Mendels, Senior Vice President of Adobe's Enterprise and Developer Solutions Business Unit, and asked some pointed questions about the future of ColdFusion and Adobe's commitment to the product. The bottom line is "Don't Panic", but for more details read the interview

My computer started acting up today. The first indication that something was wrong was when POP mail requests started throwing strange error codes (SMTP and Exchange mail worked, just POP was failing). And then FTP transfers started retry lots of random packets. The only change I made to my computer was installing Communication Manager, the software for my new 3G card, but that could not be the problem, the card was not in the machine and Communication Manager was not running. Right? Well, after lots of tinkering I uninstalled Communication Manager, and suddenly everything started working again. Which is bizarre, because Communication Manager does not startup by default, it is run only when needed. Just to prove the point, I reinstalled and uninstalled Communication Manager several times, and sure enough, when installed (even if not running and without the PC card in the machine) lots of stuff broke (including POP e-mail), and when uninstalled the problems went away.

After lots of Google searches and a long chat with a techie at Cingular, the culprit was identified. Communication Manager installs another application, a data acceleration client. The software improves connection performance by doing things like degrading image quality, and I assume that there is software on the Cingular network end that actually does the compression as requested by the client. Lots of Communication Manager users have reported issues with data acceleration with all sorts of applications (including Norton Anti-Virus and Norton Internet Security).

But still, how could software that is not running cause problems? As per the documentation:

Data compression is only in effect when Cingular Communication Manager is connected to a Cingular GSM network and has successfully negotiated a session with the data acceleration server in the Cingular network.

In other words, if Communication Manager is not running then neither is data acceleration. And even if Communication Manager is running, data acceleration only impacts connections via the GPRS/3G card, not any other connections. That's what the documentation implies.

And, apparently that is not true. The Setting dialog in Communication Manager allows data acceleration to be started stopped and configured at will, and also allows it to be installed and uninstalled. Well, I uninstalled it. And suddenly everything works again.

Honestly, I am appalled. For starters, why the heck would data acceleration be tinkering with POP packets? And why was it messing with data sent over regular LAN and WiFi connections? But the bigger issue is simply this, how dare Cingular install software telling me that it will only run when executed, when it was clearly running at other times, too?

Not cool at all. No, I won't dump my 3G card yet, I still need to give it a real world road test. But if any of you install Communication Manager, do yourself a favor and uninstall data acceleration!

I am posting this with my LAN connection unplugged and WiFi disabled. And no, I am not using a dial-up connection. This is 3G at work.

Cingular has just rolled out 3G coverage in parts of the country, and so of course I replaced by GPRS card with a new HSDPA/UMTS EDGE/GPRS card (a Sierra Wireless AirCard 860). In other words, I can be online via GPRS just about anywhere on the planet, and via 3G connection in the U.S. where available. The card also supports WiFi, but I disabled that.

Initial speed tests show 600K download speed and 60K upload, quite a bit faster than GPRS. I'll be on the road quite a bit now and plan to give this baby quite the workout.

Oh, and Cingular is offering a $60/month unlimited data plan now.

A developer asked me how he could get absolutely accurate time information for an application that he is working on. He cannot rely on local server time as he has no control over the machine, and can't verify that it is accurate (and can't change the time if not). There is no NTP (network time protocol) tag in ColdFusion, but fortunately one is not needed, because the NIST time servers also respond to plain text daytime protocol requests.

Here is a quick UDF I threw together to solve the problem. Call GetNISTTime() and it'll return a structure containing the raw data returned from the time server, as well as individual fields broken out for ease of use:

To test this code you can just use:

A friend of mine over at PowerOne Media just sent me an e-mail to tell me that he is looking for several ColdFusion developers (at several skill levels) at their Ann Arbor, MI location. Primary responsibilities to include working on a ColdFusion based online automotive product, and some technical support work. Job listings are online, although that page does not list all of the open CF positions. If you are interested in learning more, there is an e-mail link at the bottom of the page.

Contrary to what many believe, there are in fact Adobe Bloggers! Yeah!

I received a package from Palm this morning. It contained a little plastic SIM card tray to replace the one in the top of my Treo 650. As per the accompanying note:

Palm has learned that some SIM cards may not fit tightly enough in the SIM tray provided with the Treo 650 product. As a result, the SIM card contacts may lose their connection resulting in possible dropped calls or occasional shutdown of the phone function.

My gut feel is that this cannot be the cause of the reliability problems that I (and many others) have experienced with the Treo 650. But, I've switched SIM trays, you never know.

Yes, I now work for Adobe. Although, what I am doing is no different to what I was doing while working for Macromedia. I am talking to customers and developers, answering questions, working on some new articles and content, tinkering with ColdFusion/Flex integration ... for now, as far as ColdFusion specifically is concerned, this is little more than a change in name.

It is worth noting that ColdFusion is now part of the Adobe "Enterprise and Developer Solutions Business Unit" which is also responsible for Flex (as well as the Adobe LiveCycle products). And it is also worth noting that the team responsible for ColdFusion has not changed either, nor has our planning for "Scorpio" (although, I must confess, the new integration possibilities are positively mouth-watering).

There is a new Treo update out for Cingular users. This was not a painless update to install. In fact, it took several failed tries and multiple hard resets, so be sure you have a good backup before upgrading.

The good news: Amongst the enhancements in version 1.17 is improved Bluetooth support, including the publishing of extended status information. This means that the Treo can finally publish signal strength (which my car displays in the dashboard). Battery life is still not published, but that is less important.

The bad news: Within the first 30 minutes after installing the update, my Treo hung twice. So don't expect reliability to improve.