Bryan Stevenson wrote: >> Have you played with characters your database considers escape >> characters? Do you know which characters that are? Do you know which >> characters that will be for every database your application will ever >> run on? >> Have you played with characters CF does not consider escape characters >> because CF evaluates their Unicode version, but your database considers >> escape characters because your database considers their ASCII version? >> Do you know which characters that are? Do you know which characters that >> will be for every database your application will ever run on? >> >> >> Do you expect a hacker to know more about these issues then you do? >> Do you like to take chances? > > I'm sensing a theme Jochem....perhaps you think the poster should use > cfqueryparam?? ;-)
Using character set conversions for SQL attacks is very real: http://lists.mysql.com/announce/364 http://www.postgresql.org/docs/techdocs.50 It gets even more fun when you use a custom escape clause: http://msdn2.microsoft.com/en-us/library/aa933232(SQL.80).aspx I'm not even going to try to comprehend what happens when you combine these issues or evaluate the potential for abuse this gives in a mixed (Java and C) environment. I would be very interested in reading the opinion of somebody who understands all aspects of these issues, but I can't imagine anybody convincing me not to use cfqueryparam. Jochem ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Enterprise web applications, build robust, secure scalable apps today - Try it now ColdFusion Today ColdFusion 8 beta - Build next generation apps Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:285766 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
