> on a web form given the var isn't quoted. But are varchar2 type vars
> invulnerable simply because they are single quoted in the query? Or are
> there ways that even that would allow SQL insertion? It seems impossible
> to me but then I'm not an expert on SQL.
>
> What about date type vars? They aren't quoted.
If you use CFQUERYPARAM with all variables sent by the browser, you'll be
ok. If you don't, any one of those variables can be used to send SQL
commands of various sorts, including those you want to save to varchar2
fields.
> The MM docs mention
> "Some databases, including Microsoft SQL Server and Sybase SQL Server,
> support the ability to send multiple SQL statements with each query."
>
> How are they defining multiple SQL statements...they are referring to
> semi-colon separated sql statements right?
In many database platforms, you can use semicolons to separate SQL
statements within a single SQL batch. I don't know if that's true for all of
them, or if there are other ways to do it, but if there are, they'd count as
multiple SQL statements as well.
> They didn't mention Oracle in the list, so does anyone know if Oracle
> allows multiple statements?
I suspect this may have more to do with specific database drivers than with
the databases themselves.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
phone: 202-797-5496
fax: 202-797-5444
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
