>> CFQUERYPARAM will prevent all SQL injection attacks This is demonstrably false. Semantics, arguments and opinions aside, spreading misinformation like this is irresponsible. An attack can be made to inject SQL on a CF application using CFQuery that cannot be prevented with cfqueryparam. To paraphrase Uncle Bill, "...it must follow, as the night the day, thou canst not then prevent a SQL injection attacks with cfqueryparam".
Kind regards, Emmit On Thu, Jul 16, 2009 at 3:26 PM, <[email protected]> wrote: > > > -------- Original Message -------- > Subject: Re: CF prepared statements > From: Dave Watts <[email protected]> > Date: Thu, July 16, 2009 2:17 pm > To: cf-talk <[email protected]> > > > > You should know better than that, Dave. I'll always be here to point > > out the edge case-- > > If you use EXEC, EXECUTE, sp_executesql, whatever, you are explicitly > treating data as executable code. That's what those SPs and functions > do. I don't think that's an edge case; it's a different case entirely. > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324613 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
