Use <cfqueryparam> for validation purposes. I've seen docs on this, but can't remember where off the top of my head.
-----Original Message----- From: Chad Gray [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 31, 2002 2:07 PM To: CF-Talk Subject: CF and passing SQL commands through a form Do we have anything to worry about if someone enters a SQL command into a form field or URL? Like the form is collecting a users ID and passing the users ID to this action page: SELECT * FROM users WHERE user = #FORM.user# Can someone enter into the form field: 9; DROP TABLE users; Thus creating on the action side: SELECT * FROM users WHERE user = 9; DROP TABLE users; Has MM protected us from this kind of attack or do we have to protect ourselves with val().. etc...? ______________________________________________________________________ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
