I just subscribed to the list so missed most of this thread ... please disregard if not relevant.
Access is not imune. At a minimmun you have this vulnerability with VB to deal with: http://www.macromedia.com/devnet/security/security_zone/asb99-09.html I think if anyone is running a web application without actively protecting themselves against injection attacks is running software I would immediately chuck into to the opposite of the "aint" broken category ... just an opinion. FYI you can run multiple commands in ms access injection attacks by using '%00' instead of the '--' used in ms SQL server attacks. I'd also change those 3 most important things to planning, documentation, and standards ... another opinion ;-) Claude Schneegans wrote: > >>The three most important things in software development are > > > >>>consistency, consistency, and consistency. >>> >>> > >Right. However, before CF 5, consistency was NOT to use CFQUERYPARAM since it >didn't exist, >and I would add another most important thing: if it aint broken, don't fix >it... > >So let me reformulate my question: >Is it really worth to modify old CF applications running Access to use >CFQUERYPARAM, >and is it really true that the only way for SQL injection is by using multiple >commands, >and that Access DS are SQL injection free? > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:212764 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54