http://www.winnetmag.com/SQLServer/Article/ArticleID/23011/23011.html
-----Original Message-----
From: Steve Nelson [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 24, 2004 10:03 AM
To: CF-Talk
Subject: RE: why are procedures better?
http://192.168.0.100/experiments/temp/queries.cfm?user_id=\'1\'
getuser (Records=0, Time=141ms)
SQL =
select first_name
from users
where user_id='\''1\'''
I just gave it a try. It looks like it is doubled up by CF.
Steve
-----Original Message-----
From: Jochem van Dieten [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 24, 2004 9:27 AM
To: CF-Talk
Subject: Re: why are procedures better?
And the backslash, which is not doubled by CF, negates the first
of these quotes in databases that use C-style escaping:
http://192.168.0.100/experiments/temp/queries.cfm?user_id=h4ck3r\';DROP%20TA
BLE%20temp;%20COMMIT;%20--'
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
