> I've always been curious as to how cfqueryparam works. Does anyone know if > it just performs some scanning and filtering on the actual values of the > parameters passed to it or whether it somehow signals to the RDBMS that the > values are parameters to the query thereby treating an SQLI attack as an > escaped string or something?
It builds a prepared statement. It doesn't scan or filter anything. > cfqueryparam errors when you try to use it outside a cfquery tag, which > limits some of the stuff you can do with it. ( Like using cfsavecontent to > have various cffunctions append SQL to a query and then popping that > variable inside of a cfquery tag ). > > Is there some other way to leverage the parameterized safety of > cfqueryparam? Can you do it using pure SQL? The database driver? Any ideas > on how I could provide the same security outside of cfquery tags? You could build a prepared statement yourself. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321651 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

