> harmful SQL statements that someone might try to include into
> a URL or FORM field entry.
Well, no, it doesn't rip out all harmful SQL statements. I can think of a
half-dozen SQL Server-specific commands that are commonly used in SQL
injection attacks, for example.
When you use CFQUERYPARAM, it's not just validating the data. It's telling
the database server that the variables in question contain only data, not
executable SQL. So, it doesn't matter what you put in the variable, the
database server won't execute it.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
phone: 202-797-5496
fax: 202-797-5444
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
