> I had you guys poke at my application the other day to find > bugs and security problems. Now I need to ask a few questions > about SQL security as I am finding out a lot of what I thought > was right is wrong. I am using cfqueryparam now in my where > and and clauses, now do I need to also put cfqueryparam for > field I update, can they append data there.
Yes, it is conceivable that data could be appended to insert and update queries. > Anything else I may have missed out here? Probably, the biggest thing that you haven't mentioned here (perhaps because you might already take it for granted) doesn't really have to do with how you write your application code. Ideally, even if you don't filter input in your application code, you can limit your exposure to harm by correctly configuring the database, and rights and permissions within that database. For example, you can create a user within the database, and explicitly grant and deny rights appropriately for that user. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ______________________________________________________________________ Get Your Own Dedicated Windows 2000 Server PIII 800 / 256 MB RAM / 40 GB HD / 20 GB MO/XFER Instant Activation � $99/Month � Free Setup http://www.pennyhost.com/redirect.cfm?adcode=coldfusionb FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
