Thank you for reporting this, we are looking into it.
However, let me de-alarm the alarmist portion of this post with respect
to SQL Injection attacks.
It has been a long held view that you should _ALWAYS_ use CFQUERYPARAM
(aka prepared statements) for anything that accepts text from the open
public. If you still have a code out in the field like this, then this
is bad and should be fixed asap. When i code review my team, it is one
of the top things that always gets picked off the list.
This is not a new thing and has always been the advice in many forums
for a number of years now. Always assume that your data from users are
always dirty and potentially dangerous. Do as much as you can to clean
and sanitize it.
If anything it is just good practice. It does way more escaping and
preparation than the rudimentary escaping of ' -> \'.
Secondly, if you are using MySQL then the underlying driver and
database, no longer suffer from this. So statements such as:
SELECT * FROM Table where a="'; drop database'
won't actually work. Java drivers do not suffer from this as much as
the PHP ones did where most of the scaremongering stories come from.
Wide sweeping (and factually incorrect) statements such as the one you
posted here, does not paint the full story and only goes to incite panic
where non need exist.
Thank you for raising the issue with us and we are looking into it.
dRD wrote:
Basically, now, any code that uses built-in OBD functions inside
CFQUERY, are exposed to SQL injection attacks.
--
official tag/function reference: http://openbd.org/manual/
mailing list - http://groups.google.com/group/openbd?hl=en
