|
|
On Jan 16, 7:30 pm, "Mike Palmquist" <webforumsu...@xxxxxxxxxxxxxx>
wrote:
> I use <cfqueryparam> tags only for entries that I woudl expect to be integers.
> I haven't been using <cfqueryparams> for text entry. However, this behavior
> didn't appear until I moved the site to CF8 Enterprise. I'm puzzled by this
> and, short of recoding our entire site to add cfqueryparam tags (which would
> involve changes to about 1200 files), I'm wondering if there's something
> different in the way CF8 is checking for SQL injection attacks, since this is
> a
> radically different behavior than I was getting with CF7 MX.
>
> Thanks,
>
> Mike
The safe and sure and only acceptable way of coding is to use
<cfqueryparams ... /> on ALL your user input that is sent to
<cfquery ... /> tags.
You can do a global replace on any number of files with most IDEs,
just make sure that your regexp in search and replace are correct.
In CF7 you could disable processing multiple statements in you
<cfquery .../> tag (you can still do it in CF8 too), I guess that CF8
behaviour was set to through an exception in case the code tries to
execute multiple statements in you <cfquery .../> tag when they are
disabled.
|
|