This tag, CodeCleaner, I just looked at it and it doesn't look like it should be used for SQL Injection Hack protection. It looks like it will clean a string so that it can be rendered back to the browser without javascript, meta refreshes and the like happening. But if you look at the source (or the instructions) it does not remove DROP or ALTER keywords or really anything to do with SQL.
Brook At 05:41 PM 03/09/02 +0200, you wrote: >Matt Robertson wrote: > > In the past I've used the CodeCleaner custom tag to scrub form inputs. > > Recently I've expanded my use of CFQUERYPARAM to include values in SQL > > UPDATE and INSERT statements, rather than just for the WHERE clause. > > > > Does cfqueryparam eliminate the need to scrub the code? My gut feeling > > is 'yes' for cfsqltype=cf_sql_numeric and an emphatic 'NO' for > > cfsqltye=cf_sql_varchar. Any confirmation/correction would be > > appreciated. > >cfqueryparam eliminates the need for scrubbing. It might or might not, >depending on your requirements, eliminate the need for trimming. > >Jochem > > > ______________________________________________________________________ Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
