http://www.cflib.org/udf.cfm?ID=1219
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Magnus Wege Sent: 05 July 2005 09:20 To: [email protected] Subject: [CFCDev] CFC Functions Escaping ' using methods Hello, I have a question concerning the escaping of strings, especially the char ' which can and do cause some SQL injection if not escaped. The Problem is: using a getter-method without escaping in a sql query causes an error and allows SQL injection! <cfquery ....> UDPATE Table SET sName = '#oObject.getName()#' </cfquery> IS NOT SECURE, BECAUSE OF THE USE OF A FUNCTION! Therefore I would like to prefer the usage of <cfqueryparam> but I encountered again a problem with Unicode characters because the N is not allowed, e.g. is an error: N<cfqueryparam ... /> Of course you can enable Unicode for each datasource in the ColdFusion Administrator individually. I am just curious about the just implemented N'#myvar#' Statements in existing SQL Statements? Is there any best practice on this issue? Any help is appreciated... thx in advance PS: Development environment: we use CFMX 6.1 Magnus web-shuttle AG, Munich, Germany ---------------------------------------------------------- You are subscribed to cfcdev. To unsubscribe, send an email to [email protected] with the words 'unsubscribe cfcdev' as the subject of the email. CFCDev is run by CFCZone (www.cfczone.org) and supported by CFXHosting (www.cfxhosting.com). CFCDev is supported by New Atlanta, makers of BlueDragon http://www.newatlanta.com/products/bluedragon/index.cfm An archive of the CFCDev list is available at www.mail-archive.com/[email protected] ---------------------------------------------------------- You are subscribed to cfcdev. To unsubscribe, send an email to [email protected] with the words 'unsubscribe cfcdev' as the subject of the email. CFCDev is run by CFCZone (www.cfczone.org) and supported by CFXHosting (www.cfxhosting.com). CFCDev is supported by New Atlanta, makers of BlueDragon http://www.newatlanta.com/products/bluedragon/index.cfm An archive of the CFCDev list is available at www.mail-archive.com/[email protected]
