Sadly I cannot provide any links as proof, so I wont argue with you, but I am sure I have seen someone on this list provide some advanced sql injection examples that got through cfqueryparam
On Tue, Mar 5, 2013 at 9:50 PM, Dave Watts <dwa...@figleaf.com> wrote: > > > Protecting against sql injection also requires more than simply > validating > > datatypes, relying on cfqueryparam to do this will only protect you from > > the basic drive by injections that rely on numeric fields accepting > > strings, not advanced injections which can be done on any text field. > > This is not correct - or perhaps I misunderstand what you mean. > > If you use CFQUERYPARAM for every field that may contain untrusted > data, it will, as a side-effect of parameterizing your queries, tell > the database that the value of the field is to be treated as data > rather than as executable code. In other words, it will prevent ALL > SQL injection attacks. > > It will not prevent other sorts of attacks (XSS, CSRF, etc, etc) but > it will absolutely, positively, prevent all SQL injection attacks. > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > http://training.figleaf.com/ > > Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on > GSA Schedule, and provides the highest caliber vendor-authorized > instruction at our training centers, online, or onsite. > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354841 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm