To be more precise, would the code below prevent an injection attack?
Store proc:
.......
@uid uniqueidentifier
AS
BEGIN
SELECT ID,column1, column2..etc
FROM tbltable
WHERE UID = @uid
END
CF Code:
<cfquery name="doStuff" datasource="application.DSN">
EXEC usp_getSomeData
@param = '#url.uid#'
</cfquery>
>>This is yet another example where CFQUERYPARAM would have prevented
>>the attack. Every time someone says it's unnecessary, I'm going to
>>point them to this thread.
>
>Is it safe to assume then that using stored procedure would have prevented the
>attack?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;207172674;29440083;f
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321504
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
