Today, while I was surfing the website of InfoWeek, a leading IT magazines in Switzerland, in order to change my email subscription I was granted with the following error message:
At first I am happy to see that they are using CFML as their choice of deplyoment, but when looking at the above code I saw some poor coding techniques at work.
First off, one should never use the “*” for getting back all the columns of the database. This is slowing the database server down and is a poor man coding style. In todays tool environment there is no excuse for using the “*” anymore (I am talking for production use here).
The next thing is that the variable “MailAdress” is not scoped and far worse is subject to the famous SQL Injection, because the developers neglected the <cfqueryparam> tag. Sure enough, I was able to log in to my account with adding the variable to the URL. If I wanted to, I could even see and alter some other email addresses.
The solution to the above is so simply, one wonders why developers still chose to neglect it. With a simple;
<cfqueryparam cfsqltype=”cf_sql_varchar” value=”#post.MailAdress#”>
the variable is scoped and secured against SQL Injection code at the same time.
As long as I see applications like this on the web (believe me I see a couple of these things in a week) I am sure my company has enough to do 
…..and yes I did call them and told them the error, but it looks like they are not in a hurry to fix it.
