Monday, October 22

Avoid SQL Injection with cfqueryparam

After tourism malaysia website defaced a few days ago, the awareness of security of all our websites rised as this happened. To prevent this from happening again, here is the full article.


Some DBMSs let you send multiple SQL statements in a single query. However, hackers might try to modify URL or form variables in a dynamic query by appending malicious SQL statements to existing parameters. Be aware that there are potential security risks when you pass parameters in a query string. This can happen in many development environments, including ColdFusion, ASP, and CGI. Using the cfqueryparam can reduce this risk.

About query string parameters

When you let a query string pass a parameter, ensure that only the expected information is passed. The following ColdFusion query contains a WHERE clause, which selects only database entries that match the last name specified in the LastName field of a form:

SELECT FirstName, LastName, Salary

FROM Employee

WHERE LastName='#Form.LastName#'

Someone could call this page with the following malicious URL:


The result is that ColdFusion tries to execute the following query:

SELECT * FROM Employee


In addition to an expected integer for the Emp_ID column, this query also passes malicious string code in the form of a SQL statement. If this query successfully executes, it deletes all rows from the Employee table--something you definitely do not want to enable by this method. To prevent such actions, you must evaluate the contents of query string parameters.

Using cfqueryparam

You can use the cfqueryparam tag to evaluate query string parameters and pass a ColdFusion variable within a SQL statement. This tag evaluates variable values before they reach the database. You specify the data type of the corresponding database column in the cfsqltype attribute of the cfqueryparam tag. In the following example, because the Emp_ID column in the cfdocexamples data source is an integer, you specify a cfsqltype of cf_sql_integer:

SELECT * FROM Employee


cfsqltype = "cf_sql_integer">

The cfqueryparam tag checks that the value of Emp_ID is an integer data type. If anything else in the query string is not an integer, such as a SQL statement to delete a table, the cfquery tag does not execute. Instead, the cfqueryparam tag returns the following error message:

Invalid data '7 DELETE FROM Employee' for CFSQLTYPE 'CF_SQL_INTEGER'.

Using cfqueryparam with strings

When passing a variable that contains a string to a query, specify a cfsqltype value of cf_sql_char, and specify the maxLength attribute, as in the following example:

SELECT * FROM employees

WHERE LastName =

cfsqltype = "cf_sql_char" maxLength = "17">

In this case, cfqueryparam performs the following checks:

· It ensures that LastName contains a string.

· It ensures that the string is 17 characters or less.

· It escapes the string with single-quotation marks so that it appears as a single value to the database. Even if a hacker passes a bad URL, it appears as follows:

WHERE LastName = 'Smith DELETE FROM MyCustomerTable'.

Using cfSqlType

The following table lists the available SQL types against which you can evaluate the value attribute of the cfqueryparam tag:





















Note: Specifying the cfsqltype attribute causes the DBMS to use bind variables, which can greatly enhance performance.

Saturday, October 20

Minishowcase: The PHP Photo Gallery

minishowcase is a small and simple php/javascript online photo gallery, powered by AJAX that allows you to easily show your images online, without complex databases or coding, allowing to have an up-and-running gallery in a few minutes. Here the demo

  1. New interface
  2. Simple galleries
  3. Lightbox view
  4. Languages
  5. Permanent URLs
  6. Automatic thumbnails
  7. Added viewing features
  8. Private galleries
  9. Plug-in interface
at least php v4.2.0
GD or GD2 extension
FTP account and client.
browser must be JavaScript Enabled
minishowcase is licensed under a Creative Commons Attribution-Share Alike 2.5 License. And was released on Sep. 29, 2007. There's also explanation for configure the theme and intergrate the gallery with another application.

Note: This gallery is not compatible with IE 5.x Mac

Wednesday, October 17

WebSnapr for preview website

WebSnapr lets you capture screenshots/thumbnails of almost any web page. Let your visitors to instantly visualize any web page before clicking. WebSnapr also provides us the WebSnapr Preview Bubble which is a simple, unobtrusive script used to display an overlay bubble showing a hyperlink target thumbnail using WebSnapr. It’s a snap to setup which can increase site traffic, click-through rate and site stickiness.

Currently 289800028 site thumbnails served and counting. You also be able to display the images of previewed website as does.

Display data as Gmail does

gmail-like table

I was referring to this site for getting output as gmail does. It's not too difficult to do that. But I used table to organize the layout. Check the in-line style attach to the tag below

<table style="table-layout: fixed;" width="300">
<td style="overflow: hidden; empty-cells: show; white-space: nowrap;">
Write something longerr here

The code above will restrict the table from expand if you have longer text or image in a '<td style="overflow: hidden; empty-cells: show; white-space: nowrap;">'...

Thursday, October 11

phpESP for Administrate survey processing

phpESP is a set of PHP scripts to let non-technical users create surveys, administer surveys, gather results, and view statistics, all managed online after database initialization.

But I found it's was uneasy for me to install and configure. This software require the application to be run on apache (recommended) but I dare to put it on IIS. Beside, it also need gettext to be install together with your PHP.

However it is listed as the 50 best open source for business even I found it still unstable.

Thursday, October 4

Exploring PHPMyVisites

This is an open-source software for website statistics and audience measurements. I'm currently testing and haven't fully test it. I like the way it lead user to automated installation with simple step-by-step guidance. This software is similar to online web analytics; google analytics. Here is the list of features
  • A clean and user-friendly interface to present data and to aid in data analysis.
  • Clear and concise graphics presenting important information in an easy-to-understand format.
  • Free: phpMyVisites is completely free.
  • Precise visitor statistics over a period of time (day/week/month/year).
  • Visitor Frequency: new visitors, regular (known) visitors, and how often visitors view the web site.
  • Management of web site statistics and all file types (PDF, Image, etc.).
  • Web site page classification available (by groups, by subgroups, etc.).
  • Visitor Analysis: Statistics for pages where visitors leave the web site and for pages where the visitors enter the web site.
  • Geographical Statistics: Classification by continent/country (interactive world map).
  • Technical Configuration Statistics: Web browsers, resolution, managed plug-in, etc.).
  • Complete and clear statistics about web site discovery: How do visitors come to the web site?
  • Live Clearly Defined Web Site Discovery Tools: Search Engines, Web Sites, Partner Sites, Newsletters and Direct Access
  • Able to detect more than 300 internationally-used search engines and keyword associations.
  • Define web sites as partners and add an unlimited number of newsletters.
  • One software installation and track all your website
  • Receive web site statistics everyday by e-mail, by RSS feed, etc.
  • And much more..