It seems to me there are two different issues here, that only partially overlap.
1. data is input into a field - say an varchar/ntext/text/memo field - that will be used to display onto a page. The user could include all sorts of nasties, both simple and complex. Injected SQL isn't much of a danger here, if at all. For a field like this at the very least you need a scrubber like CodeCleaner (which for the sake of argument strips out the CFQUERY statements someone would wrap around the aforementioned SQL), or something you've home-grown. 2. Data is used - possibly from a form input but maybe not - in a WHERE statement; i.e. SQL injection. cfqueryparam fixes that rather handily all on its own. Malicious code of another nature isn't likely to be of any use in a WHERE clause, but cfqueryparam handles this as well. So my ideal system scrubs the form inputs, and further lumps them into a cfqueryparam on general principles. My WHERE clause uses cfqueryparam only. I should be pretty safe. What have I missed on the above? ______________________________________________________________________ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
