> > Are you kidding??? I just replace form.lastname > > with: " test'; DROP TABLE table; " > > Poof, your data'z are gone > > ColdFusion would escape that single quote, rendering this > attempt pretty much useless and "data'z" would still be > there. I'm not suggesting that you shouldn't use > CFQUERYPARAM wherever possible, but it's not so simple to > inject with a quoted string as it may seem at first glance > (it can certainly be done). Now, if this were ASP.Net...
While you're absolutely correct about this specific example not working, you should read Jochem's most recent post very carefully. It is very difficult to guarantee that there is no character sequence that will "break out" of your single-quoted string, and there are people much smarter than me whose job (or hobby) it is to find these sequences and use them. I can spend my time worrying about that, or I can use CFQUERYPARAM. It's an easy choice, and it conforms to the security dictum "deny, then allow" - rather than identifying every potentially dangerous sequence, I can just use CFQUERYPARAM to prevent any possible SQL injection. CFQUERYPARAM tells the database that input values are not executable code. It denies the possibility of execution for any value. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! This email has been processed by SmoothZap - www.smoothwall.net ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| ColdFusion is delivering applications solutions at at top companies around the world in government. Find out how and where now http://www.adobe.com/cfusion/showcase/index.cfm?event=finder&productID=1522&loc=en_us Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:285763 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
