Breaking out of coldfusion code

<script>window.alert("Like This");</script>

Dan Bracuk wrote:
> Personnally I find js injections to be more of a threat than sql injections. I
> have tested both, and the only time I could get sql to execute was with MS SQL
> and a numeric datatype. The other dbs I tested were Oracle and Redbrick.
>

I just want to say, I have no trouble doing SQL injection on Oracle with
numeric data types as well.

String data types are much more difficult thanks to ColdFusion's habit
of automatically escaping single quotes, unless one has turned this off
with the preserveSingleQuotes() function.

But, I trust the rule of thumb that hackers have much more time then I
do to find obscure combinations of characters, escapes and|or commands.
Thus I just <queryParam...> so that the database knows to never ever
treat this piece of data as code.

Personnally I find js injections to be more of a threat than sql injections. I have tested both, and the only time I could get sql to execute was with MS SQL and a numeric datatype. The other dbs I tested were Oracle and Redbrick.

craiglaw98 wrote:
> issue with coldfusion, if so what is the best way to stop this and what would
> be the way to break out of coldfusion code?

use cfqueryparam religiously.