No, the queries written in those examples are patently stupid. Anyone deliberately circumventing the protection that bind parameters provide by subsequently forcing using those parameters to be used as literal SQL gets what they deserve.
mxAjax / CFAjax docs and other useful articles: http://www.bifrost.com.au/blog/ 2009/7/17 Emmit Larson <[email protected]>: > > I believe that Brad Wood has made the case for that with his afformentioned > blog post. > Emmit > > On Thu, Jul 16, 2009 at 8:48 PM, James Holmes <[email protected]>wrote: > >> >> Can you provide examples? >> >> mxAjax / CFAjax docs and other useful articles: >> http://www.bifrost.com.au/blog/ >> >> 2009/7/17 Emmit Larson <[email protected]>: >> > >> >>> CFQUERYPARAM will prevent all SQL injection attacks >> > >> > This is demonstrably false. Semantics, arguments and opinions aside, >> > spreading misinformation like this is irresponsible. An attack can be >> made >> > to inject SQL on a CF application using CFQuery that cannot be prevented >> > with cfqueryparam. To paraphrase Uncle Bill, "...it must follow, as the >> > night the day, thou canst not then prevent a SQL injection >> > attacks with cfqueryparam". >> >> > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324619 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
