Great, yes understand, basically it runs another script against database so it assumes that it is not part of the user_id. good thanks.
On Thu, Jul 24, 2008 at 3:05 PM, Dave Watts <[EMAIL PROTECTED]> wrote: > > How can it be processed when USER_ID in database is > > specified for LENGHT 15 and USER_ID with Hacker code has > > lenght like 100? > > For the purpose of preventing SQL injection, the length of the field in > your > prepared statement doesn't matter. It is enough for it to be a prepared > statement, which you build in CF using CFQUERYPARAM. Without it, the > database has no idea which parts of the query are supposed to be executable > SQL, and which parts are supposed to be data. > > In a successful SQL injection attack, the value that's injected would be > more than just your USER_ID value; it would also contain executable SQL > code, and your database would simply execute the code; it would not assume > that this code is supposed to be part of your USER_ID value. > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > > Fig Leaf Software provides the highest caliber vendor-authorized > instruction at our training centers in Washington DC, Atlanta, > Chicago, Baltimore, Northern Virginia, or on-site at your location. > Visit http://training.figleaf.com/ for more information! > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309668 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
