Now, it is my belief that CF auto escapes single quotes, so sql injection into a string is not possible. I believe it's still possible if you have a number, but pass in a string, but that can be defeated by using VAL.
Someone pointed me to an article from 2 years ago that describes how to do sql injection with CF: http://coldfusion.sys-con.com/read/46358.htm?CFID=472470 <http://coldfusion.sys-con.com/read/46358.htm?CFID=472470&CFTOKEN=B2D822C3-1 3E7-B7E0-0702115FF33798C6> &CFTOKEN=B2D822C3-13E7-B7E0-0702115FF33798C6 I couldn't get the example in there to work. Other then putting in an injection string into a numeric argument, are there any other examples of doing SQL injection with ColdFusion? Russ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:250665 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
