Rick, Saying those tags are ok to use is not promoting people to write insecure applications and I certainly would not imply that. Protecting your application against SQL/XSS attacks is something you should do regardless, so I would not say it defeats the point at all, otherwise you could say the same about ORM or any other framework because you still have to write code of your own to make it do what you want. These things are there to aid in your development and speed things up, not to be some magic bullet that you can rely on to do everything for you. However in order for that to happen the developer has to actually know what these things are and that he has to protect against them, and the typical newbie is not going to know this, so it is really a moot point.
Russ -----Original Message----- From: Rick Root [mailto:[email protected]] Sent: 23 September 2010 16:28 To: cf-talk Subject: Re: cfinsert/cfupdate On Thu, Sep 23, 2010 at 11:24 AM, Russ Michaels <[email protected]> wrote: > > That applies across the board Rick, to any sql in any code on any site. If No, it certainly doesn't. If you write the SQL, they can't post additional form fields that you're not expecting and have them get into your SQL statement. > You can SCAN the FORM scope and simply remove anything that shouldn't be > there or simply do not execute the SQL code if you think the request did not > come form the original form. Well sure but that kinda defeats the purpose of the simplicity of these tags. Rick ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:337395 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
