gdemaria and myself have had an ongoing difference of opinion on sql injection vuln...
this is a huge question and I'd like to get feedback from many POV's
I believe cfquerparam is the only way to go, gd believes "placing a string in single quotes will help that because the injection will simply get saved into the database (if it fits).. "http://www.experts-exchange.com/Web_Development/WebApplications/Q_22473349.html
(for the benefit of the mssql and mysql folks, cfqueryparam "Verifies the data type of a query parameter and, for DBMSs that support bind variables, enables ColdFusion to use bind variables in the SQL statement. " It basically forces the db to take the input as typed and prevents the reading of multiple sql commands.
It's my (perhaps flawed) understanding that single quotes do not protect you
since if i do this as the example shows...
select * from mytable where somename= '#form.name#'
and pass this to the query
x'; DROP TABLE members; --
the query runs as
select * from mytable where somename= 'x'; DROP TABLE members; --'
isn't it true that by adding the x' you defeat the "value" of the quotes as the db will see that as end of first statement, start the next bit???
comments? ... happy to be proven wrong...
btw... gd... this is not meant to call you out, it's just that I want a good discussion about this as you've brought some doubts to my mind with what I thought was a "best practice"
x-posting this to mssql and mysql