Right. The problem is not that the developer is going to do a SQL injection, it's that Hackers on a public facing site will. DB2, Oracle and others don't allow two queries in one statement to stop things like what Ben Forta demonstrates in this blog post: http://tinyurl.com/ozq8x
That said, SQL Inject attacks /can/ be prevented by doing proper data cleaning for all queries that use values generated by outsiders (URL params, forms, etc.) I'm just saying that Oracle, DB2 and the others prefer to prevent things at the database level, rather than putting the security burden on the developer. > -----Original Message----- > From: S.Isaac Dealey [mailto:[EMAIL PROTECTED] > Sent: Tuesday, April 04, 2006 8:56 AM > > The 2nd query won't allow anyone to perform a sql injection attack > against the database, although it's possible that using #ColNames# or > #preserveSingleQuotes(ColValues)# in this example might. > > > Keep in mind that most other databases (besides SQL > > Server) don't allow > > you to send two queries with at once like this. It's very > > insecure, > > because of sql injection possibilities. But since you > > guys are all > > talking about MS SQL, this works fine. :) > > >> -----Original Message----- > >> From: Pete Ruckelshaus [mailto:[EMAIL PROTECTED] > >> Sent: Monday, April 03, 2006 9:03 PM > >> > >> You are correct. > >> > >> Moreover, a better solution would be something like this > >> (assuming SQL Server): > >> > >> <cftransaction> > >> <cfquery name="qInsertData" > >> datasource="#APPLICATION.dsn#"> > >> INSERT INTO t_doctors (#ColNames#) > >> VALUES > >> (#preserveSingleQuotes(ColValues)#); > >> SELECT SCOPE_IDENTITY() AS newpkey; > >> </cfquery> > >> </cftransaction> This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. A1. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236909 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
