Mark Kruger wrote: > Ian, > > I posted an example of this recently on my blog. > > http://www.coldfusionmuse.com/index.cfm/2008/2/22/sql-injection-on-a-charact > er-field > > The long and short is that different platforms allow you to escape single > quotes differently and this technique can be used to get the right number of > quotes into string for the purpose of injection... > > Best practice: Use cfqueryparam - there is no good reason NOT to do so > (especially on CF8). > > -mark
Thanks that's just the type of information I was looking for. I know and use <cfqueryparam...>, but I wanted some more concrete examples on what it is protecting us from. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:301412 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
