any variable that you're using to filter needs to have a cfqueryparam tag.. Even if you have 30.. each should have one..
On Tue, Mar 11, 2008 at 3:46 PM, Frank Velazquez <[EMAIL PROTECTED]> wrote: > Ok, I get the use of cfqueryparam, but how about all the other form fields? > aren't they also bound to an attack? > > Let's say I have this: > > <CFQUERY NAME="qPrize" DATASOURCE="Prizes"> > SELECT * > FROM DailyPrizes > WHERE PrizeId = <cfqueryparam cf_sql_type="cf_sql_numeric" > value="#FORM.PrizeId#" > </cfquery> > > What happens with all the other fields that also input data into my db? > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Newbie/message.cfm/messageid:3423 Subscription: http://www.houseoffusion.com/groups/CF-Newbie/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.15
