AFAIK, it actually does more than validation and escaping, at least
with SQL server. The DB understands that what's coming in for those
parameters (represented by ? in your cf debugging information) is only
data, and is not executable in any way.
-joe
----- Original Message -----
From: Tim Blair <[EMAIL PROTECTED]>
Date: Thu, 22 Jul 2004 15:28:16 +0100
Subject: RE: A script to Prevent SQL Injection: feedback/suggestions?
To: CF-Talk <[EMAIL PROTECTED]>
> CFQUERYPARAM will validate the data. this script rips out ALL
> harmful SQL statements that someone might try to include into
> a URL or FORM field entry.
It doesn't just validate -- it will also escape any potentially
"harmful" characters, therefore nullifying any possible attack.
Tim.
--
-------------------------------------------------------
Badpen Tech - CF and web-tech: http://tech.badpen.com/
-------------------------------------------------------
RAWNET LTD - Internet, New Media and ebusiness Gurus.
WE'VE MOVED - for our new address, please visit our
website at http://www.rawnet.com/ or call us any time
on 0800 294 24 24.
-------------------------------------------------------
This message may contain information which is legally
privileged and/or confidential. If you are not the
intended recipient, you are hereby notified that any
unauthorised disclosure, copying, distribution or use
of this information is strictly prohibited. Such
notification notwithstanding, any comments, opinions,
information or conclusions expressed in this message
are those of the originator, not of rawnet limited,
unless otherwise explicitly and independently indicated
by an authorised representative of rawnet limited.
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]