> Can cfqueryparam, cfprocparam and app.scriptProtect dodge all > known SQL Injection attack?
CFQUERYPARAM can, yes. There's nothing special about CFPROCPARAM; your stored procedures will be able to separate SQL code from data just like a prepared statement, in any environment from which they're called. SCRIPTPROTECT has nothing to do with preventing SQL injection; it's to prevent XSS, and it doesn't guarantee safety from XSS attacks (by a long shot). > Are there anything we CFers should pay attention to? You should already know the difference between SQL injection and XSS, for one thing. You should be thoroughly familiar with the categories of web application vulnerabilities. OWASP (http://owasp.org/) is a great place to start if you're not yet there. There are all sorts of problems within web applications beyond SQL injection vulnerabilities. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| ColdFusion is delivering applications solutions at at top companies around the world in government. Find out how and where now http://www.adobe.com/cfusion/showcase/index.cfm?event=finder&productID=1522&loc=en_us Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:291503 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
