> > I was under the impression that CFQUERYPARAM took care of all > > of the SQL injection possibilities. > > All that I know of, but I understand hacker types to often be > very creative and intelligent people. I always assume that > they have, or will someday, figure out new attacks. The hope > being that the attacks are so convoluted and time consuming > to usually not be worth it.
Well, actually, CFQUERYPARAM prevents SQL injection attacks from working, period. SQL injection attacks rely upon the ability to have your database execute code, and CFQUERYPARAM prevents that from happening. That said, CFQUERYPARAM does nothing to prevent other sorts of attacks, so you will certainly want to filter inputs appropriately. There are various approaches you can take to this, but essentially you want to remove or disable any content that would be executable within a browser, such as JavaScript. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:249045 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
