Not exactly sure why you believe cf_sql_varchar is more unsecure compared to the other cf sql types? Other than it can accept text?
Things might have changed in recent times but when I was using CF7 & SQL2000 this was how things worked. The reason why using CFQUERYPARAM to pass data is so much better than not using it is that your query is transformed in to temporary stored procedure. This is great because then you have all the protection of calling a stored proc. In short your data is separated from your executing SQL instead of SQL parsing and executing the code on the fly. Ross On Jun 30, 4:15 pm, nedlud <[EMAIL PROTECTED]> wrote: > Hi, > > I'm a bit concerned about Coldfusions security vrs SQL injection > attacks. As a rule I use CFQUERYPARAM s for all parameters going into > a query (I use MySql as my db, if that makes any difference). > > But it seems to me that the cf_sql_varchar type is still a liability > since you can effectively pass any string into taht field. So what's > to stop people from trying an injection there? Setting the length on > the string, as the live docs suggest, seems a particularly lame > defence. > > Any comments or suggestions for how I should deal with this? > > I've done some googling and keep coming up empty with solutions > applicable to CF. > > Am I really going to have to check all string parameters myself before > passing them into the db? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "cfaussie" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cfaussie?hl=en -~----------~----~----~----~------~----~------~--~---
