> Protecting against sql injection also requires more than simply validating > datatypes, relying on cfqueryparam to do this will only protect you from > the basic drive by injections that rely on numeric fields accepting > strings, not advanced injections which can be done on any text field.
This is not correct - or perhaps I misunderstand what you mean. If you use CFQUERYPARAM for every field that may contain untrusted data, it will, as a side-effect of parameterizing your queries, tell the database that the value of the field is to be treated as data rather than as executable code. In other words, it will prevent ALL SQL injection attacks. It will not prevent other sorts of attacks (XSS, CSRF, etc, etc) but it will absolutely, positively, prevent all SQL injection attacks. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354839 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
