> First of all, every time I see your name as it appears > on the list (S. Isaac Dealey), my brain for some > reason automatically translates it into Sir Isaac > Dealey. So if I call you Sir Isaac by accident, I hope > that you don't mind. :)
No, it won't bother me... I think you may be confusing me with Newton. Though he's a little older. :) > ..I am first validating the variable as a numeric, and > then using CFQUERYPARAM around the variable > name in the query itself. > > All of the variables, whether text-based or not, are > screened using regexes before submission to a > SQL query for any attack patterns I can think of. Yep, you're _very_ safe. :) > With that approach, I expected that I'd still have to > filter out ' and ; characters, but it sounds like I don't > even need to do that. If you or anyone else can > verify this, I'd appreciate it. I can verify it... the ; will get filtered out of possibly being appended to numeric or date fields by the regex and queryparams ... in string fields where you want users to be able to enter them it shouldn't be a problem because it'll be inside of the string -- and double-quotes unless you bound the variable with preservesinglequotes() will all be escaped, which will prevent the user from breaking out of the string variable. And actually if you're using queryparam to validate it as being a string variable, I don't think there's any way that you _could_ use preservesinglequotes() to choke it, even on the server side with hard-coded strings... Isaac www.turnkey.to 954-776-0046 ______________________________________________________________________ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
