Hi All,
SQL Injection attach is biggest problem for web developer. I will always suggest to user
Single quotes ( ' ) is most dangerous character from where sql Injection normally start and solution is really simple, just replace single quotes with two times single quotes ( '' ) and you are preety safe. I used to create one function (let's say sqlSafe) in Application.cfc file or any class file which is extended to Application.cfc so it is easily accessible to everywhere.
var sqlList = "',%";
var replacementList = "'',\%";
return trim(replaceList( strVal , sqlList , replacementList ));
We just need to call this function before attaching any user input string in sql query. I really appreciate any suggestion which make this function much stronger.