Is cfprocparam any better than cfqueryparam?
On Oct 1, 1:25 pm, Shane Heasley <[EMAIL PROTECTED]> wrote:
> I recently posted the below on a CF forum in response to a question
> about how to avoid SQL injection attacks:
>
> If you can limit form field entries to alphas and numbers only then
> you are pretty safe.
>
> <cfset someFormField =REReplaceNoCase (form.comments, '[^a-z0-9]', '',
> 'all')>
>
> When you allow special characters then the risks skyrocket. Don't
> forget any field is open to attack - hidden form fields, drop lists,
> password fields (many forget those).
>
> You need to use cfqueryparam, htmledit format, and you need to limit
> extended characters unless you have no choice. If you allow special
> characters then you need to use some of the bad string removal
> functions available at cflib. Just keep in mind those functions get
> dated and were probably not 100% effective even when first written.
>
> In response, another forum member posted this link which I think is
> worth sharing. It just goes to show how difficult it is at present to
> stop SQL injection attacks when the input string cannot be character
> limited.
>
> http://blog.ninanet.com/blog1.php/2008/08/22/sql-injection-attacks-no...
>
> Anyone here have any suggestions other than limiting the character set
> or "trying" to identify and remove attack strings?
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the "Houston ColdFusion
Users' Group" discussion list.
To unsubscribe, send email to [EMAIL PROTECTED]
For more options, visit http://groups.google.com/group/houcfug?hl=en
-~----------~----~----~----~------~----~------~--~---
