I've always been curious as to how cfqueryparam works. Does anyone know if it just performs some scanning and filtering on the actual values of the parameters passed to it or whether it somehow signals to the RDBMS that the values are parameters to the query thereby treating an SQLI attack as an escaped string or something?
cfqueryparam errors when you try to use it outside a cfquery tag, which limits some of the stuff you can do with it. ( Like using cfsavecontent to have various cffunctions append SQL to a query and then popping that variable inside of a cfquery tag ). Is there some other way to leverage the parameterized safety of cfqueryparam? Can you do it using pure SQL? The database driver? Any ideas on how I could provide the same security outside of cfquery tags? On Thu, Apr 16, 2009 at 9:32 AM, Gerald Guido <gerald.gu...@gmail.com>wrote: > > This is the link to the function code in case it was not apparent from my > post... I really need to slow down. ;o) > > http://coz.pastebin.com/f588cde23 > > G! > > > > > -- > Gerald Guido > http://www.myinternetisbroken.com > http://www.cfsimple.org/ > > "To invent, you need a good imagination and a pile of junk." > -- Thomas A. Edison > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321650 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
