Even though you have a solid idea that those scoped variables won't be messed with, why wouldn't you use CFQUERYPARAM anyway? There is more benefit to using it than just protecting against vulnerabilities.
----- Original Message ---- From: Sam Singer <[EMAIL PROTECTED]> To: [email protected] Sent: Wednesday, August 6, 2008 12:40:15 PM Subject: [ACFUG Discuss] <cfqueryparam> for application or session scoped variables I'm using QueryParam Scanner to identify any potential vulnerabilities. It is flagging code that uses application or session scoped variables such as: WHERE DeptID = #Application.DeptID# ORDER BY Lastname Should Application.DeptID be cfqueryparamed? What about: WHERE PersonID = #GetAuthUser()# Thanks, Sam ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com ------------------------------------------------------------- ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -------------------------------------------------------------
