Am I correct in assuming ( after just having skimmed the topic with Google ) that to do that within CFML I'd have to drop into Java and use the MySQL Java API to achieve that?
On Thu, Apr 16, 2009 at 10:36 AM, Dave Watts <dwa...@figleaf.com> wrote: > > > I've always been curious as to how cfqueryparam works. Does anyone know > if > > it just performs some scanning and filtering on the actual values of the > > parameters passed to it or whether it somehow signals to the RDBMS that > the > > values are parameters to the query thereby treating an SQLI attack as an > > escaped string or something? > > It builds a prepared statement. It doesn't scan or filter anything. > > > cfqueryparam errors when you try to use it outside a cfquery tag, which > > limits some of the stuff you can do with it. ( Like using cfsavecontent > to > > have various cffunctions append SQL to a query and then popping that > > variable inside of a cfquery tag ). > > > > Is there some other way to leverage the parameterized safety of > > cfqueryparam? Can you do it using pure SQL? The database driver? Any > ideas > > on how I could provide the same security outside of cfquery tags? > > You could build a prepared statement yourself. > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > > Fig Leaf Software provides the highest caliber vendor-authorized > instruction at our training centers in Washington DC, Atlanta, > Chicago, Baltimore, Northern Virginia, or on-site at your location. > Visit http://training.figleaf.com/ for more information! > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321664 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
