hahah yea I saw that.. damn clouds. I want to see that thing go!
I'll definately wrap everything in CFQUERYPARAM. Anything else that you saw in the code? Minus the "progress bar", everything else seems to work as I designed it. I can upload photos, delete them, add captions, move their order around, set one as the default pic, etc.. I'm just making something like craigslist but a bit nicer. Doesn't need to be super awesome, just easy and useable. -Jason On Tue, Oct 27, 2009 at 10:37 AM, Alan Williamson (aw1) <[email protected]>wrote: > > Then you have nothing to worry about. If they can't actually inject an > SQL in via a TEXT string (like a comment form or something like that) > then there is nothing they can do. > > but yes, CFQUERYPARAM is your ultimate weapon against injections, > because it treats dynamic data differently underneath the covers, and > doesn't simply append it to the string. > > ... even for MS SqlServer (regarding your other message). > > so unlike the Ares I-X launch, you are good to go! :) > > Jason King wrote: > > The only thing that users can do to affect a query is change an ID value > > in the URL.. None of my code relies on the queries being passed via a > > URL string or anything like that. > > And I guess the cfqueryparam just checks to make sure the variable is > > what it says it is. I just set it to match what the variable type should > > be, such as integer, and if that fails, the query fails? > > > > --~--~---------~--~----~------------~-------~--~----~ Open BlueDragon Public Mailing List http://groups.google.com/group/openbd?hl=en official site @ http://www.openbluedragon.org/ !! save a network - trim replies before posting !! -~----------~----~----~----~------~----~------~--~---
