Ok found an example for you. www.codersrevolution.com/index.cfm/2008/7/22/When-will-cfqueryparam-NOT-protect-me
>> Sadly I cannot provide any links as proof, so I wont argue with you, but I >> am sure I have seen someone on this list provide some advanced sql >> injection examples that got through cfqueryparam > >The only way for this to be possible is to do something with the data >in your SQL after receiving the parameters that would explicitly treat >the data as code. For example, you could have a parameterized stored >procedure that takes something declared as data and tries to execute >it (EXEC, EXECUTE, sp_executesql for example take strings and >explicitly try to execute them as code). > >But that is not a limitation of CFQUERYPARAM or an example of SQL >injection from ColdFusion - even in that case, CF is explicitly >telling the database, "this part is code, this other part is data". By >telling the database that parameters are data, you are preventing them >from being inadvertently treated as code. > >Dave Watts, CTO, Fig Leaf Software >http://www.figleaf.com/ >http://training.figleaf.com/ > >Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on >GSA Schedule, and provides the highest caliber vendor-authorized >instruction at our training centers, online, or onsite. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354888 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm