Dave, What about a semi-colon?
Storedproc '#var1#','#var2#' ; *other code* Would the CFQUERY not allow this additional code to run? -Mark Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -----Original Message----- From: Dave Watts [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 22, 2008 5:50 PM To: CF-Talk Subject: RE: cfquery and cfstoredproc > > i have been asked to look at a possible sql injection attack. > > as I look through the code I see stored procs being called by using > > cfquery like: > > > > cfquery name="asdf" datasource="asdf" > > > > storedproc '#var1#', '#var2#' > > > > cfquery > > > > I've read about using cfstored procs and params to prevent attacks. > > I've read that using cfquery and doing inline queries can cause > > injection attacks but I wasn't sure about using cfquery and calling > > a stored proc through it. Can somebody please confirm? > > Yes you are vulnerable if you do not sanitize the inputs..... Actually, generally you won't be vulnerable here. You're calling a stored procedure, which is going to take your inputs and stick them in input parameters. As long as you're not executing strings directly in your stored procedure (using EXEC, EXECUTE, sp_executesql, etc) you'll be fine. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309492 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4