>MaryJo produces a product that she supports on older platforms, hence >the need to bypass cfqueryparam.
Actually, that's not really the issue so much as customers that are running older versions of my software that don't have all the text inputs covered with cfqueryparams. While this is certainly no substitution for them upgrading to my newer versions that are better protected against this new attack (and other stuff like XSS) it helps with customer relations to provide them with something to as least block it until such time as they get around to upgrading. I haven't supported anything below CF5 for quite some time! I may still include it in newer versions as well, for a couple reasons. One is simply that I prefer stopping hackers before they even can get to code that accesses the database, for whatever reason. It may not be 100% foolproof, but it's a worthwhile thing to do, IMO. The other reason is that my software is *very* commonly modified by those that purchase it. Hopefully anyone doing the code changes would know to use cfqueryparam but I've seen some pretty awful coding in my years of doing this, so I prefer not to assume and have some code in there that may help protect the site....because regardless of how a hacker gets in, it will still be me that gets the blame. ;-) --- Mary Jo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309830 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
