So what is the best way to prevent an attack when you need to
accept a string?
How would you make a query like this safe?
<cfquery name="qIDs" Datasource="dsn">
SELECT *
FROM names
WHERE name = '#url.name#'
</cfquery>
I have always avoided using anything but ids in a query, but
recently I have needed to use a query like this. What I did was
to check the URL variable for keywords like delete,drop,ect..
But is there a better way?
~DM
= = = Original message = = =
Check out this article by Ben Forta:
http://www.macromedia.com/desdev/articles/ben_forta_faster.html
==
Peter Tilbrook
ColdFusion Applications Developer
Defence Housing Authority
26 Brisbane Ave
Barton ACT 2600
AUSTRALIA
Ph: 02 6217 8444
Fax: 02 6217 8500
Website: www.dha.gov.au
______________________________________________________________________
This list and all House of Fusion resources hosted by CFHosting.com. The place for
dependable ColdFusion Hosting.
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
