Dave Watts wrote: >> it somehow signals to the RDBMS that the >> values are parameters to the query thereby treating an SQLI attack as an >> escaped string or something? >> > > It builds a prepared statement. It doesn't scan or filter anything. > Thus the database knows the data is data and not commands and does not try to execute commands that just may happen to be in the data.
> >> Any ideas >> on how I could provide the same security outside of cfquery tags? >> > > You could build a prepared statement yourself. There you go. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321657 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4