mark416 wrote:
> I pass data with Form to cfm action file, the action
file have cfquery to
> communicate with database.
>
> What is happen if I pass sql statement (for instance
delete) from form to
> action page?
>
> Do I have to write special code to prevent SQL injection
in coldfusion?
>
> Thanks
>
> Mark
>
The basic building block of SQL injection prevention in
ColdFusion is
<cfqueryparam...>.
This tells the database that this value is a parameter will
always be a
parameter and never ever contain code. So the database will
never
execute anything contained in the parameter. Assuming the
database
supports bind parameters, which most do.
1
Reply
AdChoices