That's your job. CFML has language features to help you prevent this kind of attack, but it is not a "bug" (actually, in all honesty, it is a DBMS and driver feature) and so it is not MM's job to "protect" you at all.
And yes, you can use Val(). <CFQUERYPARAM> is a good option too. Or use both. --- Ben -----Original Message----- From: Chad Gray [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 31, 2002 3:07 PM To: CF-Talk Subject: CF and passing SQL commands through a form Do we have anything to worry about if someone enters a SQL command into a form field or URL? Like the form is collecting a users ID and passing the users ID to this action page: SELECT * FROM users WHERE user = #FORM.user# Can someone enter into the form field: 9; DROP TABLE users; Thus creating on the action side: SELECT * FROM users WHERE user = 9; DROP TABLE users; Has MM protected us from this kind of attack or do we have to protect ourselves with val().. etc...? ______________________________________________________________________ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
