Anytime I'm using a query I need to log into the database (as I don't have ODBC setup to do it)
<cfquery name="rsUser" datasource="dbname" username="admin" password="adminpass">
SELECT *
FROM dbo.UsersView
WHERE UserID = #session.userid#
</cfquery>
the part I don't like is having the username and password visible every time I make a query. I could use a #parameter# but that is only a small improvement. Any other ideas short of setting up the ODBC on the server?
If you are using a datasource, you don't need to supply the username and password, they are provided when you set up the datasource. If you don't set up a datasource in the CF Administrator, then you have to user username and password attributes but you'd also have to supply the db server information as well.
So, in short, just pull out your username and password and you should be fine.
Also, it is best practice to use for values passed into your query (in this case, session.userid). cfqueryparam not only helps protect you against security issues like SQL injection attacks, it also tells the the db server to create a prepared statement which will be reused in subsequent calls of the query and thus will increase performance of your queries.
Sometimes people don't like to put their username and password into the CF Admin and there is a simple way around that would be to put your datasource information in the Application.cf(c|m).
If using Application.cfm just do the following somewhere in the Application.cfm
Application.dsn = {
datasource = 'mydatasource',
username = 'myusername',
password = 'mypassword'
}
If using Application.cfc place the same code into your onApplicationStart method. Then in your query just use the following
<cfquery name="myquery" attributeCollection="#Application.dsn#">
SELECT * FROM mytable
</cfquery>
As you can see this makes your code nice and easy to manage and if your DSN changes you only have to change it in one place.
Related
I have installed Sitecore 10 on my local machine for development but have forgotton the master admin password. So now I am not able to log into sitecore from the browser.
I would like to know about how to reset this admin password.
Please give me detailed steps and not just a update query from other posts which I have tried and it has not worked.
Thanks a ton in Advance :)
You can do it programmaticaly or reset it in the SQL database, but with SQL that depend on the hash algorithm configured. Therefore your previous scripts may not work, programmatically works independently of the hash algorithm.
Programmatically reset password to b:
string userName = "sitecore\\admin";
var user = Membership.GetUser(userName);
user.UnlockUser();
user.ChangePassword(user.ResetPassword(), "b");
See for compleet ready to use script:
http://www.stockpick.nl/english/how-to-add-a-sitecore-admin-programmatically/
https://github.com/jbluemink/Sitecore-Admin-Scripts-for-Development-and-Deploying
I am using Apex 18.2.
I have created a report with a form for displaying and entering employees data. Employees can set their own usernames and passwords. My problem is that When I try to create a new employee or edit one that did not have a username and a password set before. The browser populates those two fields with some values. I think with the last entered username and password in the browser. I can not guarantee that users would refuse the browser's offering to save passwords. And if they do not then the next one tries to create a new employee will get the previous password entered. And I think that handling it using JavaScript through emptying the items, for example is not a good idea because the client-side can always be manipulated. I want to control it through the app not the browser. Or maybe better, control the browser through the app and prevent it from saving passwords for the app. Is there a way to do so?
Here is a sample:
https://apex.oracle.com
ws = ESLAM_WS
user = forhelp
pwd = forhelppwd
app = TEST
page = 14 and 15.
If it's the browser's offering to save the password you're trying to avoid, there are existing discussions on this
How to prevent a browser from storing password
You APEX form seems to behave as expected.
And you should not be saving passwords in clear text. Hash your data.
I want to prevent SQL injection attacks. We have a form that asks for the user's AD username and password. Then our processing code looks something like this:
<cfldap name="ldap_result" action="query" server="999.999.999.999"
attributes="userprincipalname,title,samaccountname,sn,name,mail,cn"
filter="(&(objectclass=user)(sAMAccountName=#form.username#))"
start="dc=us,dc=company,dc=lan"
scope="subtree"
username="US\#form.username#"
password="#form.password#">
I would never run a query with user input without cfqueryparam (to wrap the username and password inputs), but is something like that even available to cfldap? (We're on CF10 if that makes a difference.)
UPDATE:
To clarify, when I tried this, I got the following error:
Attribute validation error for tag CFLDAP.It does not allow the
attribute(s) CFSQLTYPE,VALUE.
No, you cannot use the cfqueryparam tag within your cfldap tag. The cfqueryparam is used specifically for SQL queries. You are thinking correctly though. NEVER TRUST USER INPUT
The cfldap tag does give you some protection in and of itself.
LDAP injection
ColdFusion uses the <cfldap> tag to communicate with LDAP servers. This tag has an ACTION attribute that dictates the query performed against the LDAP. The valid values for this attribute are: add, delete, query (default), modify, and modifyDN. All <cfldap> calls are turned into JNDI (Java Naming And Directory Interface) lookups. However, because <cfldap> wraps the calls, it will throw syntax errors if native JNDI code is passed to its attributes, making LDAP injection more difficult.
From page 14 of the ColdFusion 8 developer security guidelines which you should read if you have not done so already. It was written for ColdFusion 8 but much if not all of it is still relevant. There is an updated version of the document for ColdFusion 11 but it actually references the version 8 document as a reference as well.
I would suggest that you go with a whitelist approach here. Your active directory has specific requirements for the username and password fields; only lowercase and uppercase letters, numbers, etc. Create a regular expression that checks the user input for those valid characters only. If either field contains anything else then deny the submission and do not run the cfldap call.
This may sound too easy to understand but I am not sure I am having my head around it.
When a user is signing up in the first page of my app, I have request.session['user_id'] set which is used in page two of the sign up to complete registration. The user_id is the primary key to user in USER TABLE but I don't want to store user_id in session. I fear it might be tampered with and the WRONG row might get updated.
I would want something like a token that would be generated by my script but Django's SESSION TABLE only has three columns (session_key, session_data, expire_date) and it saves session details to it automatically.
My questions precisely are:
Can I tinker with the SESSION TABLE and add a session_token to it or I have to create my own table?
How do I get the session_token to automatically save like other columns in Django SESSION TABLE?
Or is `request.session['user_id'] okay and safe?
Do all these also apply to COOKIES and why do I need to use cookies when SESSION_EXPIRE_AT_BROWSER_CLOSE is set to FALSE?
The session is stored in the database, not in the user's cookie. There is no way for the user to change that data. The only thing stored in the cookie is the hash of the session ID itself.
I have a form field “Names” that gets populated from an Active Directory.
I am using CFLDP to connect to the Active Directory.
<cfldap action="QUERY"
name="results"
attributes="cn,sn,dn,department,mail,userid,etc."
start="dc=##,dc=##,dc=##"
filter="##=##"
server="00.00.0004"
username="me"
password="mePASWD">
<cfdump var="#results#">
When I see the result it throws the data(CN, DEPARTMENT ,DN ,MAIL, SN, USERID , UUSERID
) only for the Username="me" AND Password="mePASWD". WHERE AS I WAS HOPING IT WILL LIST THE DETAILS OF ALL THE USERS IN THE ACTIVE DIRECTORY.
ULtimatelyt I want to list theses “names” as a list and enable The user to select any “Name/Names”.
Please help how to populate all the data from Active directory rather than only a single userid or username.
I am using CF8 and Windows Server 2003 AD/LDAP standard.
Thanks
It appears that your user account only has access to your own record.
You will need to use a username and password for an account with wider access to the directory.
Alternatively, you may be able to use an anonymous bind depending on what your system administrator has enabled.
I find it useful to use a standalone LDAP browser to troubleshoot ldap issues.