That's it, thanks Bryan. -----Original Message----- From: Bryan F. Hogan [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 31, 2002 2:16 PM To: CF-Talk Subject: Re: CF and passing SQL commands through a form
In my oppinion this is the way to go: http://www.sys-con.com/coldfusion/article.cfm?id=398 -----Original Message----- From: Ryan Kime <[EMAIL PROTECTED]> To: CF-Talk <[EMAIL PROTECTED]> Date: Wednesday, July 31, 2002 3:22 PM Subject: RE: CF and passing SQL commands through a form >Use <cfqueryparam> for validation purposes. I've seen docs on this, but >can't remember where off the top of my head. > > >-----Original Message----- >From: Chad Gray [mailto:[EMAIL PROTECTED]] >Sent: Wednesday, July 31, 2002 2:07 PM >To: CF-Talk >Subject: CF and passing SQL commands through a form > > >Do we have anything to worry about if someone enters a SQL command into >a form field or URL? > >Like the form is collecting a users ID and passing the users ID to this >action page: > >SELECT * >FROM users >WHERE user = #FORM.user# > >Can someone enter into the form field: > >9; DROP TABLE users; > >Thus creating on the action side: > >SELECT * >FROM users >WHERE user = 9; DROP TABLE users; > >Has MM protected us from this kind of attack or do we have to protect >ourselves with val().. etc...? > > > > ______________________________________________________________________ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
