from URL and FORM scopes. It can be used for much more than just SQL.
Simply add some regular expressions to remove HTML, XML, DOM, CF, or
anything you like. CFQUERYPARAM does not do that... and that is the
difference.
I'll be using both methods to add more Layers to my security Onion. :-)
-----Original Message-----
Well, no, it doesn't rip out all harmful SQL statements. I can think of a
half-dozen SQL Server-specific commands that are commonly used in SQL
injection attacks, for example.
When you use CFQUERYPARAM, it's not just validating the data. It's telling
the database server that the variables in question contain only data, not
executable SQL. So, it doesn't matter what you put in the variable, the
database server won't execute it.
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
