Sorry thats maybe my wording... I should have meant the DB level and Bind Variables and possible pooling.
The actual SQL injection checks would need to be done, prior to passing it to the underlying JDBC driver, and could be handled by the cfquery tag automatically. Sorry for the confusion. On Fri, Jul 25, 2008 at 4:35 PM, Chris Velevitch <[EMAIL PROTECTED]> wrote: > > On Fri, Jul 25, 2008 at 11:20 AM, Andrew Scott > <[EMAIL PROTECTED]> wrote: > > > > And as all JDBC drivers support what cfqueryparam offers, then the > ability > > to turn that feature on or off would have been nicer. > > I don't think that's quite right. As I understand it, queries are > passed as strings to the driver which then calls the underlying > database to parse the query. If you don't use cfqueryparam, the data > is included in the string. That's how code injection occurs. > > If you use cfqueryparam, cf inserts placeholders for each parameter > and passes an array of values that correspond to each placeholder. > > > Chris > -- > Chris Velevitch > Manager - Adobe Platform Users Group, Sydney > m: 0415 469 095 > www.apugs.org.au > > Adobe Platform Users Group, Sydney > July meeting: Taming The Code > Date: Mon 28th July 6pm for 6:30 start > Details and RSVP on http://apugs2008july.eventbrite.com. > > > > -- Senior Coldfusion Developer Aegeon Pty. Ltd. www.aegeon.com.au Phone: +613 8676 4223 Mobile: 0404 998 273 --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "cfaussie" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cfaussie?hl=en -~----------~----~----~----~------~----~------~--~---
