On 8/6/07, Paul Vernon wrote: > I don't know how many times we've seen the subject of this thread over the > last few years but it generally ends with Jochem blowing holes in every type > of contrived SQL injection protection and the general consensus ends up > being if you are worried about SQL injection, use CFQUERYPARAM.
Heh. Yeah, I guess I could just bite the bullet, and grunt it out. Or, since cfquery /has/ to be a well formed tag... hmmm... =] > For XSS then you really should be looking at using HTMLEditFormat() and > HTMLCodeFormat() to make any user submitted content safe. Damn. What does that do to WYSIWYG stuff?!?! And CF8 has this shiny DHTML editor... The alternative is what- stripping JS content? The wily fiends are always coming up with ways of concatenating crazy new things together. .... > Every time I get a value is not of type CF_SQL_INTEGER error, I look at > their attack from the error dump, invariably smile at the fact that > CFQUERYPARAM has saved the day *again* and chalk one up for the good guys. Indeed! I had a swath of them this week, and felt the same warm fuzzies- as well as some trepidation... Bastards just keep hammering away... *sigh* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Create robust enterprise, web RIAs. Upgrade to ColdFusion 8 and integrate with Adobe Flex http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJP Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:285642 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
