The one thing to remember, is that SQL injection via the query param cf_sql_varchar removes any unwanted attacks. Mainly sql itself.
I still wish on my wishlist for Coldfusion to do all that behind the scenes for you, oh well maybe one day. -- Senior Coldfusion Developer Aegeon Pty. Ltd. www.aegeon.com.au Phone: +613 8676 4223 Mobile: 0404 998 273 -----Original Message----- From: [email protected] [mailto:[EMAIL PROTECTED] On Behalf Of nedlud Sent: Monday, 30 June 2008 3:16 PM To: cfaussie Subject: [cfaussie] Re: SQL Injection? I was just doing some more reading about this problem. Stored procedures are still susceptible to SQL injection *if* they dynamicly modify the query based on the user input. But from what I can see, coldfusion uses parameterised queries which should be safe. At least I can't find any particular mention of exploits for them online (yet ;) ) My concern was that any time you are accepting string input from a user, the data still needs to be sanitised before use, and cf_sql_varchar is still just a string. A string by any other name would be just as vulnerable. SO yes, my only concern is that it can accept text, but that text does not appear to get executed by the db, which is a good thing :) As Zac points out, the data is still potentialy dangerous as a possible XSS attack later on (client side, not server side). But as for my concern about SQL attacks, I'm more comfortable now about using cfqueryparams. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "cfaussie" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cfaussie?hl=en -~----------~----~----~----~------~----~------~--~---
