Re: [ACFUG Discuss] for application or session scoped variables

Dean H. Saxe Wed, 06 Aug 2008 09:47:22 -0700

Yes.  All queries should use cfqueryparam to prevent SQL injection.
-dhs



Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]

"If liberty means anything at all, it means the right to tell peoplewhat they do not want to hear."

    -- George Orwell, 1945



On Aug 6, 2008, at 12:40 PM, Sam Singer wrote:

I'm using QueryParam Scanner to identify any potentialvulnerabilities. It is flagging code that uses application orsession scoped variables such as:


WHERE
       DeptID = #Application.DeptID#
       ORDER BY Lastname

Should Application.DeptID  be cfqueryparamed?  What about:
WHERE
PersonID = #GetAuthUser()#

Thanks,
Sam



-------------------------------------------------------------
To unsubscribe from this list, manage your profile 
@http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------




-------------------------------------------------------------

To unsubscribe from this list, manage your profile @http://www.acfug.org?fa=login.edituserform


For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------

Re: [ACFUG Discuss] for application or session scoped variables

Reply via email to