Yes you are vulnerable if you do not sanitize the inputs.....
Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -----Original Message----- From: Tim Do [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 22, 2008 2:28 PM To: CF-Talk Subject: cfquery and cfstoredproc i have been asked to look at a possible sql injection attack. as I look through the code I see stored procs being called by using cfquery like: cfquery name="asdf" datasource="asdf" storedproc '#var1#', '#var2#' cfquery I've read about using cfstored procs and params to prevent attacks. I've read that using cfquery and doing inline queries can cause injection attacks but I wasn't sure about using cfquery and calling a stored proc through it. Can somebody please confirm? Thanks! Tim ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309478 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4