Hi, I'm a bit concerned about Coldfusions security vrs SQL injection attacks. As a rule I use CFQUERYPARAM s for all parameters going into a query (I use MySql as my db, if that makes any difference).
But it seems to me that the cf_sql_varchar type is still a liability since you can effectively pass any string into taht field. So what's to stop people from trying an injection there? Setting the length on the string, as the live docs suggest, seems a particularly lame defence. Any comments or suggestions for how I should deal with this? I've done some googling and keep coming up empty with solutions applicable to CF. Am I really going to have to check all string parameters myself before passing them into the db? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "cfaussie" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cfaussie?hl=en -~----------~----~----~----~------~----~------~--~---
