> > any suggestions?
>
> Use cfqueryparam around your variables :-)
> Otherwise sooner or later someone will enter
> mytitle';drop all;commit;
> as a book title.
>
I have an issue with people using cfqueryparam for this reason.
You should be doing data validation long before you hit the query and a
try/catch around a query and cfqueryparam is not data validation! That
is just letting your application accept bad data, fall over and then
capture that failure of the application.
Yes, capturing application failure is good, but capturing application
failure as data validation is just lazy.
Incidently, what you suggest above with the drop/commit in the text
won't work in this instance. What you will wind up with is a book title
of "mytitle';drop all;commit;" as CF will automatically escape the
single quote, so that your insert text will be 'mytitle'';drop
all;commit;' This is a prefectly valid SQL statement.
Regards
Stephen
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
