> I was talking about bugs in code too -- SQL injection, XSS, > bad logic, etc. And I'd argue personally and professionally > using dozens of sites I've been hired to work on as a basis, > that since CF *is* so simple, it's more likely that there are > deadly bugs in the code -- even now, years into the existence > of CF, I see CFQUERY without CFQUERYPARAM around form or url > variables. I also see plenty of files uploaded to web > accessible directories through web forms.
This has been my experience as well. CF makes development easier - bad development as well as good development. > That's ridiculous. CF autoescapes quotes -- that's got > *nothing* to do with SQL injection. And it's *easy* to > demonstrate it in CF -- here's one from DevNet to get you > started > http://www.adobe.com/devnet/coldfusion/articles/cfqueryparam.html Escaping quotes does make SQL injection a little harder, but far from impossible. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 & MX7 integration & create powerful cross-platform RIAs http:http://ad.doubleclick.net/clk;56760587;14748456;a?http://www.adobe.com/products/coldfusion/flex2/?sdid=LVNU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:269059 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
