CFQueryParam and Unicode mixing

Someone correct me if I am wrong, but if you enable non-latin text for a datasource, cfqueryparam will treat ALL cf_sql_varchar data as unicode. Meaning there is no way to specify a non-unicode (ansi) string other than to NOT use cfqueryparam? I'm trying to weigh the value of enabling the

Re: Form cleaner utility

Check out OWASP...here is a CF implementation: http://blog.pengoworks.com/index.cfm/2008/1/3/Using-AntiSamy-to-protect-your-CFM-pages-from-XSS-hacks or the tinyurl link: http://tinyurl.com/yhl34tn I'm building a form cleaner utility method that might help thwart some XSS, clean my fields up,

Re: Form cleaner utility

Why not just use CFQUERYPARAM bound parameters in your SQL? In my case, I'm scrubbing the data. cfqueryparam doesn't do that. ~| Order the Adobe Coldfusion Anthology now!

CFQueryParam and Unicode mixing

Someone correct me if I am wrong, but if you enable non-latin text for a datasource, cfqueryparam will treat ALL cf_sql_varchar data as unicode. Meaning there is no way to specify a non-unicode (ansi) string other than to NOT use cfqueryparam? I'm trying to weigh the value of enabling the

Re: Adobe no longer part of the OpenCFML committee

Not at all. Mark Drew Railo Technologies UK Professional Open Source skype: mark_railo email: m...@getrailo.com gtalk: m...@getrailo.com tel:+44 7971 85 22 96 web:http://www.getrailo.com On 24 Jul 2010, at 19:06, Arsalan Tariq Keen wrote: Does this mean CFML is or will

Downside of CFQueryParam and Unicode mixing

Someone correct me if I am wrong, but if you enable non-latin text for a datasource, cfqueryparam will treat ALL cf_sql_varchar data as unicode. Meaning there is no way to specify a non-unicode (ansi) string other than to NOT use cfqueryparam? I'm trying to weigh the value of enabling the

Re: Adobe no longer part of the OpenCFML committee

Well, no, not at all. CF has been around for a rather long time and never had a committee to define the language. The work of this particular committee had some effect, helping make some changes late in the CF9 development cycle and some changes in Railo and OpenBD I believe, but by and large it

Re: Form cleaner utility

Why not just use CFQUERYPARAM bound parameters in your SQL? In my case, I'm scrubbing the data. cfqueryparam doesn't do that. Right. That was directed to Andrew. CFQUERYPARAM doesn't provide any protection for XSS vulnerabilitis. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/

Re: Form cleaner utility

I'm building a form cleaner utility method that might help thwart some XSS, clean my fields up, etc. One nice thing about CF is that you can implement existing Java solutions. You can, for example, use Java servlet filters, which will process incoming requests before CF does. Andrew Grosset

Re: Downside of CFQueryParam and Unicode mixing

Someone correct me if I am wrong, but if you enable non-latin text for a datasource, cfqueryparam will treat ALL cf_sql_varchar data as unicode. Meaning there is no way to specify a non-unicode (ansi) string other than to NOT use cfqueryparam? I believe this is correct. At least with MS

Re: CFQueryParam and Unicode mixing [spamtrap heur]

On 7/25/2010 4:53 AM, Igor Ilyinsky wrote: Someone correct me if I am wrong, but if you enable non-latin text for a datasource, cfqueryparam will treat ALL cf_sql_varchar data as unicode. Meaning there is no way to specify a non-unicode (ansi) string other than to NOT use cfqueryparam?