Jillian, 2 methods are available. One is a Regex that's applied to any variable going into a query (also some easy things like using "val()" around an int). The other is using <cfqueryparam> . Of the 2 <cfqueryparam is the better option. It gives you quite a performance boost as well on Oracle or MS SQL.
-mk -----Original Message----- From: Jillian Carroll [mailto:jillian@;koskie.com] Sent: Tuesday, November 05, 2002 4:30 PM To: CF-Talk Subject: Sanitize - Prevent SQL Injection This may seem like a novice question... but is there a need/procedure for sanitizing data in CF to prevent SQL injection? I've searched everywhere and I can't find any information on this. -- Jillian ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm
