> > CFQUERYPARAM will prevent all SQL injection attacks > > This is demonstrably false. Semantics, arguments and opinions aside, > spreading misinformation like this is irresponsible. An attack can be made > to inject SQL on a CF application using CFQuery that cannot be prevented > with cfqueryparam. To paraphrase Uncle Bill, "...it must follow, as the > night the day, thou canst not then prevent a SQL injection > attacks with cfqueryparam".
This is getting silly. Prepared statements explicitly separate executable SQL code from literal values used as data. Unless you write an SQL statement that explicitly reverses this by treating literal values as executable SQL code, CFQUERYPARAM will prevent all SQL injection attacks. If you have an example that falls outside this category, I'd love to see it, of course. The vast majority of SQL select statements - what do you think, 99.99%, 99.999%? - do not fall within this category. And any minimally competent programmer who does write SQL that explicitly treats literal values as executable code knows the ramifications of that. I submit to you that what you wrote is far more irresponsible than what I wrote. The problem isn't people depending on CFQUERYPARAM in vain, it's people not using it when they should. But I guess thou canst not then prevent people from missing the forest for the trees. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324618 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4