> ...lax server security. We've got a boatload of stuff on this site > to prevernt SQL injection, including Justin D. Scott's application > script, carefully checking anything to goes into the database, ...
I haven't looked at the rest of the thread yet, but I would note that the script I wrote is pretty old, was meant as a stop-gap measure while developers added cfqueryparam to their queries (and otherwise fixed their code), and that some newer SQL injection methods will slip right by it undetected. It was never meant as a permanent solution. If you are at all unsure about whether or not part of your code might be letting something through, investing in a couple of hours of time from someone with lots of experience dealing with web application security would be money well spent to get a second pair of eyes on it. Without knowing anything about your application I'd be thinking SQL injection just based on your initial post. I suppose I should read the rest of the thread before I go on too long though. :) -Justin Scott ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353154 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
