> I have tried this but ran into casting issues. MX would make > the wrong guess at the data type of the column.
In that case, I'd recommend that you just put the query objects within the Session, Application or Server scopes as appropriate. If you're writing the application yourself, this is usually pretty easy to do. > would the statement made by rick still hold true though. The > attack would need to be able to close the single quotes to > embed an attack. B/C cf escapes them then the embedded sql > would always occur inside 'quotes' thus not being executed but > interpreted literally. You're trying to figure out all of the possible ways that SQL injection attacks may occur, rather than simply saying to the database "don't treat these values as code". This is not a battle that you want to fight. What happens, for example, if I pass Unicode escape sequences within an SQL injection attack string? My guess is that CF won't escape them for you. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:192620 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
