In the May 29th, 2005 listserv message from cflib.org, they mention
this function, sqlSafe():
[url]http://www.cflib.org/udf.cfm?id=1219[/url]

The function removes characters like single quotes that supposedly
allow an attacker to modify an sql statement. The function is further
discussed in this article:
[url]http://www.guardianlogic.com/?dna=articles&rna=cfdj2004[/url]

But here's my question, what exactly is the usefulness of this
function? Coldfusion *already* escapes single quotes. I'm unable to
duplicate the exploit discussed in the article. The article says that,
"to exploit this an attacker would simply have to enter " ' or 1=1--"
into the username field." That absolutely does not work, and I've tried
it just to make sure.

You want to see a real sql injection vulnerability? If you had a query
like this:

select * from user_table where userID = #url.UID#

And an attacker set url.UID equal to: 0%201=1%20

That query will return *every* row from user_table. To fix this sql
injection vulnerability, just use cfqueryparam or isNumeric() (or
better yet, do both).

I'm very concerned with writing secure code. As you can see, I know
what a sql injection vulnerability is, and I know how to protect myself
against them. What I want to know is, is there another kind of
injection vulnerability that I'm not aware of? Because unless someone
can explain it to me, I'm not going to use this sqlSafe() function. I
don't think it actually does anything.