let's say you have a text field that is 100 characters long. you can still get a "drop table tablename" appended to the sql statement or write an entire sql statment. Cfqueryparam was meant to speed up cfquery, not be to a cure all.
Anthony Petruzzi Webmaster 954-321-4703 [EMAIL PROTECTED] http://www.sheriff.org -----Original Message----- From: Zac Spitzer [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 1:06 PM To: CF-Talk Subject: Re: Preventing SQL injection attacks...? [EMAIL PROTECTED] wrote: >you can't forget that form fields also play a part in this. after reading >the informaiton provided in jeff's link, it did shine a light. although i >have been taught from the beginning to always use val() around numberic >values (thank Adam) and to use regex to validate text input (props Raymond). >if your anal and take the time to make sure that the information that people >are passing you is in the extact fomrat you want, you shouldn't have a >problem. also, don't rely on javascript, i always do server-side validation >even after client side, just to make certain. i even go as far as putting as >much validation as i can into my stored procedures and triggers. although >SQL server doesn't support regular expressions , which sucks! anyone know a >way it could? > why not just use cfqueryparam, it validates and it makes your sql code run faster??? ______________________________________________________________________ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
