>>An attack can be made to inject SQL on a CF application using CFQuery that cannot be prevented with cfqueryparam.
Well... it depends what you mean by "SQL injection" One thing CFQUERYPARAM cannot prevent is inserting malicious content in a text field, like links or simply reference, to porn sites or whatever. But this is NOT SQL injection, it doesn't use any SQL. SQL injection means that the attack adds malicious SQL statements in a text field in such a way parts of the text will execute some extra SQL statements. And this what CFQUERYPARAM makes impossible. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324620 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4