Hey, Is CFID and CFTOKEN vulnerable to this if they are stored as COOKIES and you are using a DB to store client variables?
Since I assume you could easily modify the CFID and CFTOKEN in your cookie file that browser maintains. -----Original Message----- From: Zac Spitzer [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 1:06 PM To: CF-Talk Subject: Re: Preventing SQL injection attacks...? [EMAIL PROTECTED] wrote: >you can't forget that form fields also play a part in this. after reading >the informaiton provided in jeff's link, it did shine a light. although i >have been taught from the beginning to always use val() around numberic >values (thank Adam) and to use regex to validate text input (props Raymond). >if your anal and take the time to make sure that the information that people >are passing you is in the extact fomrat you want, you shouldn't have a >problem. also, don't rely on javascript, i always do server-side validation >even after client side, just to make certain. i even go as far as putting as >much validation as i can into my stored procedures and triggers. although >SQL server doesn't support regular expressions , which sucks! anyone know a >way it could? > why not just use cfqueryparam, it validates and it makes your sql code run faster??? ______________________________________________________________________ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
