<cfqueryparam> will be fully sufficient against those types of attacks. Because it will NOT allow the code to 'execute' as you are explaining.
Dave -----Original Message----- From: Larry Schaberg [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 28, 2008 9:46 AM To: cf-newbie Subject: Re: Question on cfqueryparam CFMX7 and HEX For the last few months, some websites I run as well as some other websites for companies I use to work for have had sql statements meant to do sql injection encoded in a hex format and used in the URL paramaters. In the HEX, if you change it to ASCII Text, you can see the SQL code. The SQL code contains exec() as well as some other statements. It sounds from what your saying, that the HEX would be sent to the DB and the code run? My understanding from talking to my IT director that HEX can be run by the database if sent to it. I was just trying to find out if the HEX string was passed into the <cfqueryparam> and the <cfqueryparam> was varchar, would it then be passed to the database where the string would be run effectively doing a SQL injection attack? Hope I am making sense. Thanks, Larry >What do you mean by 'execute' ? > >Can you give me a specific example of what you are talking about? > >Dave > >Yes, so it sounds like it would go through to the database and execute if I >am understanding correctly? > >etc. >>If it does, then I do not need to do this anymore. >> >> >>Thanks in advance. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-newbie/message.cfm/messageid:4091 Subscription: http://www.houseoffusion.com/groups/cf-newbie/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.15
