I think most code examples that you see are simplified for readability and to not clutter up the example.
We use cfqueryparam's and stored procedures. As a rule, we also put val() around every numeric value (such as ID) that is passed in from the outside (URL, Form, Attributes). We try to design our apps so that we query on an ID rather than a string, which makes it easier to control the values that come in from the outside. Of course this isn't always possible and the queryparam and SP helps. You might also consider using a #left(varName, fieldLength)# on string values as you send them through the queryparam or SP. Jeremy -----Original Message----- From: derek bumpas [mailto:[EMAIL PROTECTED] Sent: Thursday, May 29, 2003 10:03 AM To: [EMAIL PROTECTED] Subject: SQL Injection Hi all, I would like to know how most of you are protecting against malicious users and checking for various attacks. I am most interested in protecting against SQL Injection. Most of the examples and code snippets that I have seen on both Macromedia and other sites don't seem to have ANY protection against this type of attack. The CFQUERYPARAM tag can help if used correctly, but what are some other techniques being used? Thanks, derek ----------------------------------------------- To post, send email to [EMAIL PROTECTED] To unsubscribe: Send UNSUBSCRIBE to [EMAIL PROTECTED] To subscribe / unsubscribe: http://www.dfwcfug.org ----------------------------------------------- To post, send email to [EMAIL PROTECTED] To unsubscribe: Send UNSUBSCRIBE to [EMAIL PROTECTED] To subscribe / unsubscribe: http://www.dfwcfug.org
