Rick Schmitty wrote: > Is there anyway for someone to hack a quoted query? > > <cfquery> > select * from table where name='#form.lastname#' > </cfquery>
Depends on the database and the configuration. > Seems anything I throw at the quoted query gets escaped correctly... Have you played with characters your database considers escape characters? Do you know which characters that are? Do you know which characters that will be for every database your application will ever run on? Have you played with characters CF does not consider escape characters because CF evaluates their Unicode version, but your database considers escape characters because your database considers their ASCII version? Do you know which characters that are? Do you know which characters that will be for every database your application will ever run on? Do you expect a hacker to know more about these issues then you do? Do you like to take chances? Jochem ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Get involved in the latest ColdFusion discussions, product development sharing, and articles on the Adobe Labs wiki. http://labs/adobe.com/wiki/index.php/ColdFusion_8 Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:285731 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
