Use <cfstoredproc>
along with <cfprocparam>
to use prepared SQL statements and limit abuse of input parameters. If using <cfquery>
, be sure to use <cfqueryparam>
.
In Java, investigate all usage of java.sql.Statement
to see if user-supplied data will ever modify the query intent. Generally never usejava.sql.Statement
, but use java.sql.PreparedStatement
orjava.sql.CallableStatement
instead.
LDAP injection is also a possibility. Care should be taken when authoring LDAP queries. The use of a package which abstracts the creation of queries should be used.
Never use string concatenation in order to create a SQL query.
Make sure that you escape any potentially dangerous output before sending it from your applications to remote sources, such as a client browser or MySQL database. Remember to escape only filtered data. When using MySQL, use mysql_real_escape_string()
for escaping output to the database.