this still doesn't look like it would stop someone from entering in a ' into the string and then executing a sql statement.
Anthony Petruzzi Webmaster 954-321-4703 [EMAIL PROTECTED] http://www.sheriff.org -----Original Message----- From: Sharon Diorio [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 1:37 PM To: CF-Talk Subject: Re: Preventing SQL injection attacks...? <cfparam type="date|numeric|string|boolean|UUID|..."> can be used for validating almost anything. It's an underused function. Sharon DiOrio ----- Original Message ----- From: "Justin Scott" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Friday, April 12, 2002 12:30 PM Subject: Re: Preventing SQL injection attacks...? > > won't execute SQL, but only evaluate it as a string input. So if you're > > expecting numbers, then validate, using isNumeric() or CFQueryParam. > > Or if you know a value must be numeric, wrap a val() around it. That will > knock any text strings down to 0 and prevent an SQL error from being thrown, > as well as allow your app to handle the empty record set just as if any > other invalid numeric value had been tossed at it. > > -Justin Scott, Lead Developer > Sceiron Internet Services, Inc. > http://www.sceiron.com > > > ______________________________________________________________________ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
