> 2) I was passing the event id in the url as value and wasn't > using the VAL function to qualify the variable (In sqlserver > you can run sub queries and a malicious user could have used > this to run a DELETE sub query in my code)
And just to be anal - don't forget to handle cases where url.id doesn't even exist. Also don't forget to handle cases where id = X, and X isn't in the database, ie, url.id=99999999, or, maybe id is too big, url.id=9999999999999999999999999999. > 3) I am using admin as the admin functions folder (am working > with client to change this, they just need to be weaned) I suggested this just as an anal retentive change. My thinking is that you shouldn't make your admin control panel easy to find. Yes, I couldn't guess a password, but if it was a _bit_ harder to find the panel, it may slow down a hacker enough to drive him away. -Ray ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=5 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=5 Get the mailserver that powers this list at http://www.coolfusion.com Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.5
