Dan Bracuk wrote:
> Personnally I find js injections to be more of a threat
than sql injections. I
> have tested both, and the only time I could get sql to
execute was with MS SQL
> and a numeric datatype. The other dbs I tested were
Oracle and Redbrick.
>
I just want to say, I have no trouble doing SQL injection on
Oracle with
numeric data types as well.
String data types are much more difficult thanks to
ColdFusion's habit
of automatically escaping single quotes, unless one has
turned this off
with the preserveSingleQuotes() function.
But, I trust the rule of thumb that hackers have much more
time then I
do to find obscure combinations of characters, escapes and|or
commands.
Thus I just <queryParam...> so that the database knows
to never ever
treat this piece of data as code.