Does anyone have an example of ColdFusion working with neo4j (or some other graph db)?
The common practice is to have an application service connect to a db. In CF it looks like the code below. One can then output the data.
<cfquery...>
select * from tbl where x=y
</cfquery>
What I'm looking for is a way to connect to and 'consume' graph data, such that I can feed it to a UI that displays the graph connections.
I am currently at step 1. How do I connect to a db (I'm liking neo4j) so I can pass a query and get something back. Ideally something like:
<cfquery ... >
MATCH (node)
RETURN node.propertyA, node.propertyB
</cfquery>
Is it even possible?
I would use CFHTTP and use Neo4j's REST endpoint to query Neo4j.
http://neo4j.com/docs/stable/rest-api-cypher.html
Related
I never had to deal with database, therefore, sorry in advance!
I was asked to create a database for a project and store data output from a c++ program into the database. I informed on Google about databases, and I came across with MySQL, and in particular database connection. As far as I understood, in the first place a database has to be created (for example with MySQL), and once data are inserted, it’s possible to access to them. However, it’s not totally clear what is possible to achieve with such a connection and how to save data from a c++ program into the database directly.
Based on what I read on the net, these should be related, is it right? I would really need some help, example or clarification about these two questions. Thanks in advance for your time!
First you should create DB and tables.
You can do it in each DB IDE wizards, or you can write it in a script.
So here are scrypt for MySQL
CREATE DATABASE test_db --this create DB called test_db
I guess you should store a message and a timestamp so a possible table (In MySQL) will be:
USE test_db -- from now on the script using test_db unless specified explicit DB
--creating table with id, mmessage and timestamp
CREATE TABLE output_table (
msg_ID INT(11) NOT NULL AUTO_INCREMENT PRIMARY KEY,
msg VARCHAR(max),
msg_TS TIMESTAMP DEFAULT CURRENT_TIMESTAMP)
In the above table you only need to give the message since all the rest are filled automatically. So Insert into the table command may look like this:
INSERT INTO output_table (msg) values ('this is a message')
When you want to check the whole table you run the following:
SELECT * FROM output_table
Now you need to connect this code to your c++ code:
Generally, you'll need to know db name, user name and password in manner to connect to DB.
You can use ODBC + MySQL ODBC Connector. It is better since you are not limitted in your c++ to a specific DB. If you are sure you will use only MySQL you can use also MySQL C++ Connector directly. Anyway, both will give you option to run SQL commands on your DB.
HERE you can fine MySQL c++ connector sample
HERE you can find ODBC sample.
Ok, I'm stumped, I have a CF11 web application that is failing a web application audit report for SQL injection, this report is made by Acunetix.
Anyways, the report gives me 10 pages on my site that is vulnerable to sql injection, but i checked the code , and I am in fact using cfqueryparam in each of these instances
example of one of the queries called by the handler
<cfquery datasource="#application.DSN#" name="qResult" result="r">
update #table# s
set s.loader_status = <cfqueryparam cfsqltype="cf_sql_varchar" value="#ucase(arguments.status)#">
<cfif isDefined("bio_loader_status") and bio_loader_status neq ''>
, s.bio_loader_status = <cfqueryparam cfsqltype="cf_sql_varchar" value="#ucase(bio_loader_status)#">
</cfif>
, s.session_id = NULL
, s.session_expiration = NULL
<cfif isDefined("arguments.rowid") and arguments.rowid neq ''>
where s.rowid = CHARTOROWID(<cfqueryparam cfsqltype="cf_sql_varchar" value="#arguments.rowid#">)
</cfif>
</cfquery>
everything I have read tells me that I am protected against sql attacks (using cfquery param, using datasurce and table variables, etc), yet the report claims otherwise
URL encoded GET input rowid was set to 1'"
Error message found: Error Executing Database Query
GET /index.cfm/status?rowid=1'%22&type=billing HTTP/1.1
can anyone shed some light on what I'm doing wrong? or is the report not correct in its assumptions?
Furthering Alex's assertion:
They want you to graciously handle the fact that rowid is not a number, they don't want to see the standard error message
My previous employer has regular penetration tests (pen tests) performed against their applications. The error messages output from CF will just render the strings of the attack on the screen. This is fine for non-production, non-QA environments where you need or want debugging information to display on screen. In production, you never want to tip your hand as to where the code tripped up.
The error message GET /index.cfm/status?rowid=1'%22&type=billing HTTP/1.1 tells the attacker which file and its path, along with a URL parameter that it can further attack. If this file was an include in your request stack and that file can be requested directly, you may then be open to further attacks. You need to catch this error and output a message.
If you have to be logged in to access this URL, that's one thing. A public URL shouldn't have any information specific to the problem. Don't output something like, The rowID must be an Integer or rowID is invalid. That will just cause more attacks. Invalid request is fine for a public URL error.
Now, to the case when <cfqueryparam> actually can't stop an injection attack. Some legacy stored procedures at my previous company use dynamic SQL. Much like in CF, strings would be concatenated inside the proc and the the SQL execute command would run the final SQL string. It is possible to pass an encoded string to <cfqueryparam> that will then get injected into the SQL string inside the proc as it is pieced together. For this, we had to update piles of old procs to validate string parameters, looking for certain strings to reject.
If possible, you should add a Web Application Firewall to your infrastructure. The Online ColdFusion Meetup Group is having a presentation on one software based WAF for CF applications tomorrow. I'm sure it will be recorded if you can't attend. I just last night finished moving my current CF site to AWS, where we made sure to add their WAF to our stack for security. This doesn't mean that we don't need to properly catch errors and show appropriate messages, but it does tend to lighten the load when you can have it reject known attack vectors before the request even gets to the application server.
I have the following simple setup in Azure ML.
Basically the Reader is a SQL query to a DB which returns a vector called Pdelta, which is then passed to the R script for further processing and the results are then returned back to the web service. The DB query is simple (SELECT Pdelta FROM ...) and it works fine. I have set the DB query as a web service paramater as well.
Everything seems to work fine, but at the end when i publish it as a web service and test it, it somehow asks for an additional input parameter. The additional parameter gets called PDELTA.
I am wondering why is this happening, what is it that I am overlooking? I would like to make this web service ask for only one parameter - the SQL query (Delta Query) which would then deliver the Pdeltas.
Any ideas or suggestions would be grealty appreciated!
You can remove the web service input block and publish the web service without it. That way the Pdelta input will be passed in only from the Reader module.
Just started using ColdFusion Builder 2 with ColdFusion 9 and saw the RDS viewer ability in it. I thumbed through Forta's WACK book and tried a simple example from it, a basic INSERT using a Derby Embedded database:
INSERT INTO Directors(FirstName,LastName)
VALUES('Ben','Forta')
If you execute that query using the RDS Query Viewer you get an error:
Statement.executeQuery() cannot be used with a query that returns a row count.
Are INSERTs, DELETEs, and UPDATEs not allowed using this tool? I'm probably just spoiled using SQL Server's Management Studio which will let you do anything if you have the rights.
Thanks!
Ya, AFAIK INSERTs, DELETEs, and UPDATEs not allowed
I have to export some data, stored in a MSSQL database, using Coldfusion server pages.
I setup my query with the cfquery tag, I generate my cfr file in Report Builder and setup the cfreport tag like this:
<cfquery name="q" datasource="mydsn"> SELECT * FROM table </cfquery>
<cfreport format="EXCEL" template="cfrPath/cfrfile.cfr" query="#q#" filename="mydir/myexcelfile.xls" overwrite = "yes"/>
By the way, it seems that Coldfusion cuts some fields, expecially the very long text ones.
It is a bug or miss something in my setup?
At a guess, I'd say you need to either increase your text buffer or enable CLOBs in your DSN setup in ColdFusion Administrator.