The only thing that users can do to affect a query is change an ID value in the URL.. None of my code relies on the queries being passed via a URL string or anything like that.
And I guess the cfqueryparam just checks to make sure the variable is what it says it is. I just set it to match what the variable type should be, such as integer, and if that fails, the query fails? -Jason On Tue, Oct 27, 2009 at 10:28 AM, Alan Williamson (aw1) <[email protected]>wrote: > > With respect to SQL injections and OpenBD ... you don't have to worry > too much about it if you are using MYSQL. > > The CFQUERY implementation doesn't permit two statements to be executed > in one block anyway, as the underlying driver validates the query first > of all, and if it doesn't parse it won't get sent to the server. > > I tried to inject code myself, and found it near on impossible; but i > could do it with a PHP page. This was a few years back i grant you. > > But the safest way you can do protect yourself, is to simply use > <CFQUERYPARAM> and do NOT build up your query via string building. > > This simple little step pretty null'n'voids all injection attacks. > > > > --~--~---------~--~----~------------~-------~--~----~ Open BlueDragon Public Mailing List http://groups.google.com/group/openbd?hl=en official site @ http://www.openbluedragon.org/ !! save a network - trim replies before posting !! -~----------~----~----~----~------~----~------~--~---
