I just make sure I always scrub user-entered data when possible, but at the very least you should use <cfqueryparam> to pass data into queries.
--- Jeff Guillaume Kazoomis www.kazoomis.com >Now, it is my belief that CF auto escapes single quotes, so sql injection >into a string is not possible. I believe it's still possible if you have a >number, but pass in a string, but that can be defeated by using VAL. > > > >Someone pointed me to an article from 2 years ago that describes how to do >sql injection with CF: >http://coldfusion.sys-con.com/read/46358.htm?CFID=472470 ><http://coldfusion.sys-con.com/read/46358.htm?CFID=472470&CFTOKEN=B2D822C3-1 >3E7-B7E0-0702115FF33798C6> &CFTOKEN=B2D822C3-13E7-B7E0-0702115FF33798C6 > > > >I couldn't get the example in there to work. > > > >Other then putting in an injection string into a numeric argument, are there >any other examples of doing SQL injection with ColdFusion? > > > >Russ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:250673 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
