> C'mon, if they are users and they have access to the system, if they go > crazy, > do they really need SQL injection to harm the system ? > They can simply delete all what they have access to, they can replace > content by porn, whatever. > Will CFQURYPARAM protect your application against that ?
Presumably, they have limited access to what they're allowed to change, and nothing else. User security is all about two things - authenticating users and limiting their access to specific items. You're acting as if the second concern doesn't exist. It does, within any sufficiently large environment. This is why enterprises don't let their users log in as local admins, why they buy content filters for outbound messaging, etc, etc, etc. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324083 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4