> So there's the question. Can someone provide an example of a > working sql injection attack?
Sure: http://www.ngssoftware.com/papers/advanced_sql_injection.pdf There's a whole section in there about multi-step SQL injection attacks against systems that escape all single quotes. They are certainly more difficult than typical SQL injection attacks - they involve entering data values that are likely to be stored and reused in other SQL statements. Of course, if you simply use CFQUERYPARAM, you won't have to worry about these or any other SQL injection attacks. Instead of trying to identify attack patterns - a battle you're going to lose - CFQUERYPARAM creates a clear delineation between data and executable code. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:250998 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
