Whatever you wish to call it, it is a cfquery that only allows data in via a cfqueryparam tag, yet is susceptible to SQL injection. I don't believe in silver bullets and I certainly don't want someone to get a false sense of security that they used method "x" and now their app is unilaterally protected from gremlins.
I do like how you said "explicitly treating data as executable code". That's really what it's all about no matter what method/tag you use. ~Brad -------- Original Message -------- Subject: Re: CF prepared statements From: Dave Watts <dwa...@figleaf.com> Date: Thu, July 16, 2009 2:17 pm To: cf-talk <cf-talk@houseoffusion.com> > You should know better than that, Dave. I'll always be here to point > out the edge case-- If you use EXEC, EXECUTE, sp_executesql, whatever, you are explicitly treating data as executable code. That's what those SPs and functions do. I don't think that's an edge case; it's a different case entirely. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324603 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4