Not everyone has cfqueryparam available we are on CF4 for a few more months so we're SOL.
But you could therotically still do something like select * from blah where userdata; select * from blah which would be interprated as a 2nd query. CFQUERY param might fix that it might come down to the old "better safe then sorry" Bill Wheatley Senior Database Developer Macromedia Certified Advanced Coldfusion Developer EDIETS.COM 954.360.9022 X159 ICQ 417645 ----- Original Message ----- From: "Matt Robertson" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Tuesday, September 03, 2002 4:28 PM Subject: SQL Injection Attacks (scrubbers cont.) > It seems to me there are two different issues here, that only partially overlap. > > 1. data is input into a field - say an varchar/ntext/text/memo field - that will be used to display onto a page. The user could include all sorts of nasties, both simple and complex. Injected SQL isn't much of a danger here, if at all. For a field like this at the very least you need a scrubber like CodeCleaner (which for the sake of argument strips out the CFQUERY statements someone would wrap around the aforementioned SQL), or something you've home-grown. > > 2. Data is used - possibly from a form input but maybe not - in a WHERE statement; i.e. SQL injection. cfqueryparam fixes that rather handily all on its own. Malicious code of another nature isn't likely to be of any use in a WHERE clause, but cfqueryparam handles this as well. > > So my ideal system scrubs the form inputs, and further lumps them into a cfqueryparam on general principles. My WHERE clause uses cfqueryparam only. I should be pretty safe. > > What have I missed on the above? > ______________________________________________________________________ Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
