http://www.bloombit.com/Articles/2008/05/ASCII-Encoded-Binary-String-Automated-SQL-Injection.aspx

I put something like this in my application.cfm file to re-rout the attackers temporarily:

<cfif FindNoCase('user>0',cgi.query_string) OR findNoCase('declare',cgi.query_string)
OR findNoCase('EXEC(@',cgi.query_string)>
    <cflocation url="http://www.ftc.gov">
</cfif>

On the other hand, some things look like they were tacked on as an afterthought, and the overall interface is not as user-friendly as a basic Windows program should be that has been around for as many years as it has. The title bar is gone and the path to the current file has been stuck into a little spot that is reserved for page tabs. It sounds like a minor thing, but it's one of the most important parts of coding in a multi-tab editor. As soon as you open more than a few pages, the file path is cut off, and with a few more open, it disappears. Major step backwards here:

The other obvious usability problem here is the black text on dark grey in the tabs. On a laptop it's impossible to see, as is the white text on the dark grey. Also, the individual pages have a close button (X) which is a great bonus, but it would have been nice to have a close button on the frequently used panels (like Find/Replace) so you don't have to right click to pick a menu item to close a panel. Also, the entire border of the program is gone, making it blend into other open programs on your desktop. I understand this is the new "owl" interface, but owls should be left in the woods to live in trees. We really don't need the artsy fartsy stuff in a code editor.

But all in all, I would recommend the program. I use Eclipse all day long at my place of employment, and it is simply not as intuitive or easy to use as DW. Code view in DW has come a long way since the days of Ultradev. Download it and try it out, and by all means make suggestions in the forums on things that can be made better.

The Cartweaver development team is pleased to announce the release of the Downloadable Products Plug-in for Cartweaver 3 CF

Now you can deliver your digital products immediately! This Cartweaver plug in allows your customers to download documents, PDFs, music, photos, artwork, software, and other digital products right away!

- Easy to integrate with your Cartweaver 3 CF store
- Upload your digital products via the store admin
- Customers can log in and download immediately after purchase
- Customers can re-download as few or as many times as you allow
- Customers can update contact information
- View entire order history
- Print out previous history

Available now! Go to the Products - Plug-Ins page and log in for availability and pricing.

The class is typically used on a page by itself, or on any page within conditional statements. You link to the page and the file download begins. The class constructor has 3 arguments:

$csvfile = new CSVFile(recordsetName, [quotes true or false], [filename]);

The first is the MySQL recordset. The second optional argument is true or false to put quotes around the fields. The third optional argument is the filename, which defaults to Download.csv by default.

To use it, follow these instructions:

1. If this is a Cartweaver recordset, make sure you include the application.php file at the top of the page:

require_once("application.php");

2. Include the class file:

require_once("yourclassdirectory/CSVFile.php");

3. Create your recordset. Below is a typical Dreamweaver recordset, using the Northwind database that you can download here for MySQL if you don't have it:

mysql_select_db($database_connNorthwind, $connNorthwind);
$query_rs = "SELECT p.ProductID, p.ProductName, p.UnitPrice FROM products p ORDER BY p.ProductID";
$rs = mysql_query($query_limit_rs, $connNorthwind) or die(mysql_error());

For Cartweaver, a typical recordset might look like this:

$query_rs = "SELECT * FROM tbl_orders ORDER BY order_Date";
$rs = $cartweaver->db->executeQuery($query_rs, "rs");

4. Add a line to invoke the CSVFile class:

$csvfile = new CSVFile($rs, true);

5. Link to the file.

Now, when the page is browsed, the file download will begin immediately.

somevariable=1%20and%201=convert(int,(select%20top%201%20username%20from%20adminusers))

or

somevariable=1%20and%201=convert(int,(select%20top%201%20char(97)%2bpassword%20from%20adminusers))

or an attack specific to SQL Server:

somevariable=convert(int,(select top 1 table_name from information_schema.tables))--sp_password

somevariable=convert(int,(select top 1 table_name from information_schema.tables where table_name not in (dtproperties)))--sp_password

somevariable=convert(int,(select top 1 table_name from information_schema.tables where table_name not in (dtproperties,sysconstraints)))--sp_password

somevariable=convert(int,(select top 1 table_name from information_schema.tables where table_name not in (dtproperties,sysconstraints,syssegments)))--sp_password

somevariable=convert(int,(select top 1 table_name from information_schema.tables where table_name not in (dtproperties,sysconstraints,syssegments)))--sp_password

The first problem was an exploit of the user's default error handling page -- if no error handling is in place, the error message might contain the username, password, or other information:

Error Executing Database Query. [Macromedia][SQLServer JDBC Driver][SQLServer]Syntax error converting the varchar value 'yourpassword' to a column of data type int. <br>The error occurred on line 102.

In the real attack, the user password was shown on the page. The password was prefaced with the letter "A" -- the char(97) in the attack. This is in case the password started with a number. This can be prevented by using <cfqueryparam> or other device specific to your programming language to make sure integer values are passed as integers.

The second problem is that the default web database user has access to tables that should never be accessible to the web. The malicious user was able to obtain table information from information_schema.tables, and work from there, systematically building each time on information that was previously obtained.

The best possible scenario is to turn off all table access to the web and only access data through stored procedures. That is not always possible. At the very minimum, only expose the data necessary for the site, and only allow access to statements that are required for operation of the site. For example, if you have a table called "Payments", and this is only available to admins, create two SQL username/password logins and use one for the publicly accessed site and one for the admin section. Turn off all permissions to the "Payments" table for the web user. Create "SELECT" permissions only on tables that only need to have data displayed.

As a DBA (which you are if you have a web site with a database and you are the person responsible for the database), you need to know how to secure your data. That involves setting up specific database users for specific access. If a web host gives you a dbo user for a specific database, do not under any circumstance use this username for your web site. This user can be used to create web user logins with specific access. MySQL has similar security features. Access users are out of luck.

The other key is never displaying error messages to users. Make sure your error handling page only shows a pretty message to the user with no information in it, like "You've created an error. Go back and try again." Or prettier than that.

And don't use words or letters for username/password combinations. Passwords should be 10 characters or more, and contain letters, numbers, and special characters. Brute force password guessing programs can figure out a password quickly if you use English language words or just letters.

I'm getting these attacks on my site too. It's scary sometimes having a web site, but hopefully there are safety measures in place to keep these parasites out.

I'll be at both TODCON and CFUnited this year, so if anyone wants to see a demo of CW, see me.

www.cartweaver.com

Correction: Pricing for upgrades is $100 until the end of May. More time available. The full price of $295 is now in effect for new users

There are many companies out there with shopping cart software, and some have come and gone. I'm sure many of them are great products, too. One thing about me that you might know if you've purchased extensions from this site is that I try to stand behind my code. I came to Cartweaver after version 2 had already been out, and translated the complete existing cart to PHP. I have complete ownership of the PHP code for Cartweaver, having translated or written every line of code in the product, and complete ownership of support for that product. For me, a product is like a child. You might send them off when they grow up, but you are always there for them. Now I have ownership of the CF code as well. Although I didn't write most of it, I am imtimately familiar with it. It's another of my children. Some of the larger companies that sell cart software stand behind their products, but you never really know who wrote what, or who to contact regarding problems. To me, writing code for a large project like this is like writing a novel or giving birth. This one was a douzy. I probably should have gotten the epidural.

See Cartweaver 3 in action at http://www.cartweaver.com/demos/. Existing CW 2 customers get the current upgrade price of $100. If you purchased within the last 60 days, the upgrade is free. To get your free upgrade, go to the Cartweaver site and add the product to your cart. After you login, the purchase price will be reduced to $0.00 so that you can add the product to your purchases and download it. Address any purchase questions to the support site at http://support.cartweaver.com/.

To purchase, go to http://www.cartweaver.com/

In the coming weeks and months I hope to have some articles and add-ons for Cartweaver 3.

Your customers will be able to log in to their account to view their contact information and update it if necessary. They will be able to view their current order to check order status and the shipping tracking number - if it was entered. They will also be able to view their entire order history and will be able to print out a copy of their order invoices if they wish.

This Plug-In gives your customers more control over their account. It helps develop a closer relationship with customers by allowing them to be involved and feel more in control.  They can be assured that their account information is correct and see what's going on with their orders.

For more information, go to http://www.cartweaver.com/store/detail/default.asp?id=cwPICustAcct.

The latest update to Cartweaver PHP was released a few weeks ago which fixed a few minor bugs. In addition, I created a patch to use Cartweaver PHP with SQL Server. For details, contact me at my contact page. If there is any interest in a patch for PostgreSQL, I will look into adding that as well.