"even then, I have not seen a way to create sql injection attacks with CF"
Russ, One particularly nasty example I have seen in action is an attack against mssql db's using EXEC sp_cmdshell. You can then run any dos command via mssql.... I agree with Matt, - its better to err on the side of caution in this situation. (just in case you havent anticipated every possible form of attack that might ever exist!) On 08/01/07, Matt Robertson <[EMAIL PROTECTED]> wrote: > > I am all for reducing attack surfaces. Even if cfqueryparam's sole > purpose in life is to enhance security, its worth it. Never mind the > speed given under load. Use it as a cheap way to bulletproof your > code and minimize your own personal liability in case it turns out the > hacker is smarter than you thought they would be. That includes > inputs like #getsite.ID# Sure the input *should* come from where you > think it does... but if some clown moves something into the middle of > the picture then you have created a hole that someone can toss a > grenade thru. > > -- > [EMAIL PROTECTED] > Janitor, The Robertson Team > mysecretbase.com > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Create robust enterprise, web RIAs. Upgrade & integrate Adobe Coldfusion MX7 with Flex 2 http://ad.doubleclick.net/clk;56760587;14748456;a?http://www.adobe.com/products/coldfusion/flex2/?sdid=LVNU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:266027 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4