If you use cfqueryprocparam, you can still have troubles if your stored proc builds a dynamic statement and then executes it without stripping out single ticks.
We found that out on accident, when our order find would blow up every time someone searched for a name like "O'Neil". :) ~Brad -----Original Message----- From: Andy Matthews [mailto:[EMAIL PROTECTED] Sent: Monday, August 07, 2006 12:27 PM To: CF-Talk Subject: RE: Good script to prevent cross-site scripting & sql injection? I was under the impression that CFQUERYPARAM took care of all of the SQL injection possibilities. <!----------------//------ andy matthews web developer certified advanced coldfusion programmer ICGLink, Inc. [EMAIL PROTECTED] 615.370.1530 x737 --------------//---------> -----Original Message----- From: Rey Bango [mailto:[EMAIL PROTECTED] Sent: Monday, August 07, 2006 11:39 AM To: CF-Talk Subject: Good script to prevent cross-site scripting & sql injection? Hi guys, Any recommendations on a good script to prevent cross-site scripting & sql injection? if someone has good code for this, I'd really appreciate it if I could use it. Rey... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:249033 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
