I am using cfparam for database optermisation - param binding There is some funky stuff going on in the application that generates sql - not my design, but I have to work with it.
So back to the question, can cf tags be put in a string to be used in another tag later? On 5/4/07, Peter Tilbrook <[EMAIL PROTECTED]> wrote: > > > On 04/05/07, Andrew Scott <[EMAIL PROTECTED]> wrote: > > > How can this be a security Risk???? > > > > <cfsavecontent variable="test"> > > where someField = <cfqueryparam ....... /> > > </cfsavecontent> > > > > <cfquery ......> > > select * from some table > > <cfoutput>#test#</cfoutput> > > </cfquery> > > How can you verify what is being fed to the database server? What if I > hacked your app and changed: > > > <cfsavecontent variable="test"> > > DROP databasename > > </cfsavecontent> > > You are trying to make ColdFusion a DBMS. It is, never was and likely > never will be. > > Learn to use the DBMS. Learn to communicate with it using CF. Do not > use CF as a DBMS. > > > > -- If you are not living on the edge, You are taking up too much space. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "cfaussie" group. To post to this group, send email to cfaussie@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cfaussie?hl=en -~----------~----~----~----~------~----~------~--~---
