Second to last sentence should ready .... "you are safe from damage to the db"
Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -----Original Message----- From: Mark Kruger [mailto:[EMAIL PROTECTED] Sent: Thursday, July 24, 2008 12:37 PM To: CF-Talk Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... Using CFQUERYPARAM will secure your DB calls. That doesn't mean you don't have other problems. But it does mean that executing arbitrary code against the DB using user inputs (form, url, cookie) is no longer possible. When the system sees something like "<cfqueryparam type="CF_SQL_CHAR" value="blah; drop table foo"/> it will bind those characters to a variable of the type "char". Unless you are subsequently executing that char string as dynamic SQL somewhere (like in an SP) you are from damage to the DB. Of course there are plenty of other things to worry about :) -Mark ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309634 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
