That is, unless you concatenate SQL in your stored procedure. http://www.codersrevolution.com/index.cfm/2008/7/22/When-will-cfqueryparam-NOT-protect-me
~Brad ----- Original Message ----- From: "denstar" <[EMAIL PROTECTED]> To: "CF-Talk" <cf-talk@houseoffusion.com> Sent: Tuesday, August 26, 2008 6:26 PM Subject: Re: SQL injection attack on House of Fusion > On Tue, Aug 26, 2008 at 2:01 PM, Dave Watts wrote: >>> It doesn't work with stored procedures (which shouldn't >>> matter, 'cause I think they are type-checked by the DB first >>> anyways) >> >> Well, not necessarily. As Mark pointed out when this thread started - it >> feels like it was long, long ago - if you're calling a stored procedure >> from >> CFQUERY you have to check your variables there too. If you're using >> CFSTOREDPROC, that builds a prepared statement that calls the stored >> procedure for you, and you don't have to worry about it. > > Ah, thank you Dave! I was thinking of cfstoredproc, I reckon. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311643 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4