:) thats why i said for places that can not do CFQUERYparam bad boy skimming messages!!
Bill Wheatley Senior Database Developer Macromedia Certified Advanced Coldfusion Developer EDIETS.COM 954.360.9022 X159 ICQ 417645 ----- Original Message ----- From: "Dave Watts" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Tuesday, September 03, 2002 5:00 PM Subject: RE: SQL Injection Attacks (scrubbers cont.) > > Not everyone has cfqueryparam available we are on CF4 for a > > few more months so we're SOL. > > > > But you could therotically still do something like > > > > select * > > from blah > > where userdata; select * from blah > > > > which would be interprated as a 2nd query. CFQUERY param > > might fix that it might come down to the old "better safe > > then sorry" > > No, in my experience, CFQUERYPARAM would prevent that second SQL statement > from being executed, assuming that the variable you were using contained > "userdata; select * from blah". When you use CFQUERYPARAM, CF builds a > prepared statement, which separates the SQL from the variables, and any SQL > code contained within the variables won't be treated as SQL, but rather as > literal data. > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > voice: (202) 797-5496 > fax: (202) 797-5444 > > ______________________________________________________________________ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists