> Sadly I cannot provide any links as proof, so I wont argue with you, but I > am sure I have seen someone on this list provide some advanced sql > injection examples that got through cfqueryparam
The only way for this to be possible is to do something with the data in your SQL after receiving the parameters that would explicitly treat the data as code. For example, you could have a parameterized stored procedure that takes something declared as data and tries to execute it (EXEC, EXECUTE, sp_executesql for example take strings and explicitly try to execute them as code). But that is not a limitation of CFQUERYPARAM or an example of SQL injection from ColdFusion - even in that case, CF is explicitly telling the database, "this part is code, this other part is data". By telling the database that parameters are data, you are preventing them from being inadvertently treated as code. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354843 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm