> After reading the following pages... > > The Unexpected SQL Injection - When Escaping Is Not Enough > http://webappsec.org/projects/articles/091007.shtml > > SQL Injection Cheat Sheet > http://ferruh.mavituna.com/makale/sql-injection-cheatsheet/ > > I wonder if our beloved <cfqueryparam> and <cfprocparam> are > strong enough to defend all of the attacks mentioned in the > pages above. Would any CF security expert please comment on this?
CFQUERYPARAM doesn't rely on escaping values; it builds a prepared statement that separates SQL code from input values. So, yes, it is sufficient to prevent any SQL injection attack. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Check out the new features and enhancements in the latest product release - download the "What's New PDF" now http://download.macromedia.com/pub/labs/coldfusion/cf8_beta_whatsnew_052907.pdf Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:290826 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
