stored procedures are your friends. they enforce strict datatypes.
> -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: 12 April 2002 17:11 > To: CF-Talk > Subject: RE: Preventing SQL injection attacks...? > > > This is probably the biggest security problem with web > applications. It > boils down to securing and validating your input. Most of > these attacks > are successful only when you're evaluating a number - since a string > won't execute SQL, but only evaluate it as a string input. > So if you're > expecting numbers, then validate, using isNumeric() or CFQueryParam. > > --- > Billy Cravens > > > -----Original Message----- > From: Ian Lurie [mailto:[EMAIL PROTECTED]] > Sent: Friday, April 12, 2002 10:17 AM > To: CF-Talk > Subject: Preventing SQL injection attacks...? > > Hi all, > > Had some interesting errors in our logs yesterday. It appears that > someone's > trying to hack our database by inserting SQL query language > into the URL > string. > > We're doing all the standard security measures, including > filtering for > single quotes, using database passwords, and the like, and we > locked out > their IP immediately. But really, how do you prevent this? Any > ideas/feedback out there? > > Ian > > Portent Interactive > Helping clients build customer relationships on the web since 1995 > Consulting, design, development, measurement > http://www.portentinteractive.com > > > ______________________________________________________________________ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
