Andrew Golden wrote: > At 04:04 PM 1/24/2003 +0100, you wrote: > >>I would not rely on the functionality of CF MX to provide this kind of >>security. In combination with various database escape characters it is >>rather easy to circumvent. > > Hmmm....had not heard that yet. Is there a list of what to check for so I > can throw together a <cfinclude> to check for these strings? Has anyone > else already done something similar?
Use cfqueryparam and you will be fine. But this thread started with *not* uding cfqueryparam, so then it is an issue. If you want to do this manually it is database dependent, check for the <database escape character><quote> sequence (CF MX will properly double the quote but not the escape character in front). Jochem ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
