Not if you use MySQL. That DBMS allows for an alternative way to escape those with a backslash.
This has been a much blogged topic recently. http://www.codersrevolution.com/index.cfm/2008/7/13/Just-when-you-felt-safe-SQL-Injection-and-MySQL http://www.coldfusionmuse.com/index.cfm/2008/2/22/sql-injection-on-a-character-field http://www.coldfusionmuse.com/index.cfm/2008/5/16/disable-backslash-escape-on-mysql This is the technicality I was citing when I disagreed with Dave Watts the other day about calling stored procs inline. If you have a cfquery and a character field enclosed in single ticks and you haven't turned off MySQL's default ways of escaping those ticks, you CAN GET HACKED if you are not using cfqueryparam. I've demonstrated a working example on the first link I provided. ~Brad ----- Original Message ----- From: "Claude Schneegans" <[EMAIL PROTECTED]> To: "CF-Talk" <[email protected]> Sent: Thursday, July 24, 2008 11:32 AM Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... > >>Closing the apostrophe is exactly how SQL injection occurs with text > field > > Ok, you got it! > BUT CFQUERY will escape that apostophe anyway, so that the SQL injection > will > just be part of the string stored in the field either you use CFQP or not. > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309626 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
