Not all injection tricks are based upon multi-statement SQL!
Example bad code:
<cfset NewPassword = "whatever" />
<cfset Username = "bob' OR 1=1 --" />
<cfquery ...>
UPDATE users
SET pass = '#NewPassord#'
WHERE user = '#Username#'
</cfquery>
Using cfqueryparam will avoid this problem.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Want to reach the ColdFusion community with something they want? Let them know
on the House of Fusion mailing lists
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:325500
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
