CounterMarch Systems

Conference Surfing

Posted At : July 22, 2008 3:21 PM
Related Categories: learning,cfug

Or, why it's worth getting out of your geek shell and attending something totally different.

I've been at the American Association of Advertising Agencies Account Planning conference in Miami for the last couple days. Until now, I had only ever attended tech conferences - CFun, CFUnited, DEVCON/MAX, WebManiacs, etc. While I am technically here to support a client, I have been poking around and listening in on various conversations and learning a lot about a field that we can't help but to come in to contact with every single day. Serendipitous learning - the best kind!

For example, there was one workshop yesterday on learning from information architects. The IA field has absorbed ideas from many others and applied them quite successfully to the new problems created by technology. Now these attendees (account planners) are trying to siphon off the same concept and apply it to their field. Very cool! What does that do for advertising and what does it mean for the future of quantitative benchmarking for the effectiveness of advertising? Huge question, generates a ton more -- just great food for thought.

Also surprising (to me, anyway) was the use of Twitter [conference feed] and Flickr [pics]. I got lots of questions about what Twitter is and (more urgently) why anyone would ever want to use it both socially and professionally. Fortunately enough there were some recent tweets that I received that were great examples of both. It's fun, simple to use and (as i'm sure you've noticed) really cuts down on full-fledged blog activity. The less-relevant or elaborate thoughts now go to Twitter, leaving the soapbox effort for the blog world. Some folks had a hard time understanding that Twitter is fun, not nearly as important as oxygen, and we're all still figuring out just how it can be used most effectively. I guess the over-hyped talk about blogs made them somewhat skeptical about 1:many tech-initiated conversation. I have no idea how they'll use this to their advantage, but as long as we still have to approve follwers we'll be just fine!

So what have I really learned? The people I'm surrounded by down here are all frantically competing for my attention - and each others - in an increasingly saturated environment and want to use not only technology but the seriously old-school fields of psychology, mathematics and language to get it. Look at this picture for an example of where their heads are. One-many and many-many communication paths are still being explored with new edges and boundaries becoming the "next great thing." As a technologist, I'm using Twitter as a yardstick for who's really paying attention - if they know what it is, they're doing ok - even if they have zero intention of using it at all. You've got to look at this slide to see that the techies have created a monster that they're aware of and plan on using against us sooner rather than later. Their event horizon is 2010 - only a short 18 months away!

Anyway, this has been tremendously educational and has inspired me to find other conferences that are in some way driven by (but not ruled by) technology. Think about it: these people are technology and tech services consumers (aka potential customers). Where will you find more business, in a room full of people who do what you do or a room full of people who use the services you can provide while speaking their language?

I thought you'd say that. Happy surfing.

Comments (1) | Print | Send | 10 Views

QueryParam Scanner

Posted At : July 22, 2008 3:00 PM
Related Categories: ColdFusion

Time to step back and check your work...

Every now and then it's worth taking the time to run a scan tool against your always-growing codebase to make sure you haven't opened up any avenues for a SQL injection attack.

You'd think that after so long and so many repeated warnings we'd all be tighter than tight now and that param-ing our queries would be second nature. This is such an old vulnerability for any webapp and building in fault tolerance from the start should be elementary. For the most part that's absolutely the case...but there are always a few queries that manage to get by without wearing proper protection.

I was a bit surprised at the results after running the QueryParam Scanner tool from RIAForge (thank you, Peter Boughton!) -- until I realized that the tool isn't excluding SQL in a query of queries (dbtype="query") nor is it omitting any values that are being set from an unadulterated CF function (now() is one example). Still, though, it did identify a number of queries that needed a little extra attention just to be truly safe from attack. I highly recommend that you go get it and run it today. You can clean up the mess before you leave work today. This would be an excellent feature to be written as an extension to CFEclipse or (as Rob Brooks-Bilson suggested) integrated into standard CF unit testing suites.

Worth noting is that in many cases (at least for the numeric params) we val the value and set the type on the cfargument tag in all the CFCs all the way down to the DAO level so even without the cfqueryparam tag we're mostly safe. It's those char/varchar fields that require the most attention (complete with trim(), left(), and maxlength checking!) to be considered sufficiently safe.

All of that aside, cfqueryparam alone is a strong first step to protecting your system from a SQL injection attack. Using it reduces the likelihood you'll be wearing egg on your face on Monday morning!

Comments (0) | Print | Send | 10 Views
Search

About

Steve Rittler
Steve Rittler is the Manager of the Philadelphia ColdFusion User Group, former President of the Philadelphia Developer Network and the owner of CounterMarch Systems.

 

CounterMarch Systems is an Adobe Solution Partner

 


Recent Entries
Conference Surfing
QueryParam Scanner
Subscribe
Enter your email address to subscribe to this blog.

Calendar
<< July 2008 >>
Sun Mon Tue Wed Thu Fri Sat
    1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30 31    
RSS


Tags
ajax blogging cfug cfunited coldfusion farcry flex mach-ii max misc project_management rants rias server tech
Archives By Subject
ajax (11) [RSS]
alumni relations (4) [RSS]
apollo (8) [RSS]
blogging (10) [RSS]
cfobjective (5) [RSS]
cfug (28) [RSS]
cfunited (34) [RSS]
ColdFusion (68) [RSS]
contribute (3) [RSS]
CRM (5) [RSS]
css (9) [RSS]
databases (4) [RSS]
DHTML (3) [RSS]
eclipse (5) [RSS]
farcry (34) [RSS]
firefox (1) [RSS]
flash (8) [RSS]
Flex (46) [RSS]
google (4) [RSS]
learning (1) [RSS]
mach-ii (12) [RSS]
max (25) [RSS]
misc (89) [RSS]
pdf (1) [RSS]
project_management (14) [RSS]
rants (20) [RSS]
RIAs (12) [RSS]
rss (1) [RSS]
salesforce (4) [RSS]
server (10) [RSS]
shameless self promotion (4) [RSS]
subversion (2) [RSS]
tech (23) [RSS]
todo (1) [RSS]
webmaniacs (2) [RSS]
xml (1) [RSS]
                                 
Email Us!
 AlumniOne Online Community | CounterMarch Labs | RecruitWeb Athletics Recruiting
 2771 Red Oak Circle • Bethlehem, Pennsylvania • 18017 • 610.280.3455