Mark Kruger has another interesting and timely read about an ambitious SQL injection attack one of his clients recently experienced.
One things for sure, it’s certainly an interesting time to be a developer. Hackers and spammers make sure of that :(
SQL injection has been around for so long, it is truly a crime if developers (ColdFusion developers at least) aren’t using cfqueryparam for every WHERE clause in their queries. ColdFusion 8 allows you to use cachedwithin whilst using queryparam, so there is really no excuse.
Update 25th July 2008
Pete Freitag has a nice article about the times where you can’t use cfqueryparam, and some nice solutions you can try instead. Well worth a read.