Matt Robertson wrote: > Dave, > > The results seen in the previous thread bring up a question: why use > cfqueryparam at all on form inputs that are not used in a WHERE clause, > especially when a good input scrubber is already in use? > > I can already see one answer: cfsqltype=cf_sql_numeric will throw an > error if a sql injection is attempted. So use cfqueryparam on those. > But what about cfsqltype=cf_sql_varchar? I can see a clear need for it > in a WHERE clause, but with inputs? When a scrubber is already in use? > What does it do in that specific case?
Your scrubber is unicode aware. Is your wire protocol unicode aware? Is any translation performed for the wire protocol? Is that translation protected from generating dangerous characters? Do you even know the dangerous characters for all databases? If you like the answer to all of these questions, go for the scrubber. I go for cfqueryparam. Jochem ______________________________________________________________________ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
