Unless people insist on using preserveSingleQuotes(), when they've built a SQL statement dynamically in a string which they then pass to the cfquery tag.
mxAjax / CFAjax docs and other useful articles: http://www.bifrost.com.au/blog/ 2009/8/17 Rick Root <rick.r...@webworksllc.com>: > > that actually wouldn't work because coldfusion automatically escapes > single quotes inside strings inside cfquery. > > But maybe this: > > <cfset NewPassword = "whatever" /> > <cfset userid = "1 OR 1=1 --" /> > > <cfquery ...> > UPDATE users > SET pass = '#NewPassord#' > WHERE userid = '#Userid#' > </cfquery> > > But... your point is well made :) > > On Mon, Aug 17, 2009 at 9:22 AM, Peter Boughton<bought...@gmail.com> wrote: >> >> Not all injection tricks are based upon multi-statement SQL! >> >> Example bad code: >> >> <cfset NewPassword = "whatever" /> >> <cfset Username = "bob' OR 1=1 --" /> >> >> <cfquery ...> >> UPDATE users >> SET pass = '#NewPassord#' >> WHERE user = '#Username#' >> </cfquery> >> >> >> Using cfqueryparam will avoid this problem. >> >> >> >> > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:325504 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4