Charlie could answer this best, but 'rule of thumb' if it can be rendered as part of an SQL statement (the variable parts as in this = #var#) then yes absolutely use <cfqueryparam> so you can specify var type, length etc.. (cfsqltype, maxlength, value etc...). That way you can block/filter bad/incomplete/incompatible requests. Catch/throw the errors (involves some work) - but his way you can ensure that someone can't answer 'yes I am' to a Boolean field (should have been caught elsewhere higher up, but this is just an example)
On Wed, Aug 6, 2008 at 12:40 PM, Sam Singer <[EMAIL PROTECTED]> wrote: > I'm using QueryParam Scanner to identify any potential vulnerabilities. It > is flagging code that uses application or session scoped variables such as: > > WHERE > DeptID = #Application.DeptID# > ORDER BY Lastname > > Should Application.DeptID be cfqueryparamed? What about: > WHERE > PersonID = #GetAuthUser()# > > Thanks, > Sam > > > > ------------------------------------------------------------- > To unsubscribe from this list, manage your profile > @http://www.acfug.org?fa=login.edituserform > > For more info, see http://www.acfug.org/mailinglists > Archive @ http://www.mail-archive.com/discussion%40acfug.org/ > List hosted by http://www.fusionlink.com > ------------------------------------------------------------- > > > > -- Darin Kohles RIA Developer ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -------------------------------------------------------------
