> > Say you had a proc that looked like this: > > > > CREATE PROC sps_testproc > > @AID int = null, > > @BID int = null > > as > > IF @AID is not null > > SELECT @AID > > IF @AID is not NULL > > SELECT @BID > > > > If I was using CFQUERY, unprotected-style, I might write this: > > > > <cfquery ...> > > sps_testproc > > <cfif whichvar = "A"> > > @aid=123 > > <cfelse> > > @bid=456 > > </cfif> > > </cfquery> > > Well, first of all, in this case the stored procedure itself > is handling validation. It's going to make sure that @aid and > @bid are integers, and fail if they're not. In addition, in > the above case, the parameters don't even contain CF > variables! So, you don't really need to go any farther, as > your current code is safe.
As Mark just pointed out, if you did have actual CF variables in your statement, those would be vulnerable. The stored procedure itself isn't vulnerable, of course, but the CFQUERY tag would be unless you'd configured your database login so that it could only execute stored procedures. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309500 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
