> +1. Don't rely on stripping, regular expressions or any of that > (although feel free to do those too); use cfqueryparam in every query > and SQL injection is no longer a problem, if your DB genuinely > supports bound parameters.
The problem is that I've started using Coldfusion On Wheels (http://cfwheels.com/) which has constructs like these: <cfset city = model("Cities").findOne(where="id=#id# AND some_other_param=#param#")> So it is these constructs that I need sanitation for :) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:248378 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4