Nothing if you're using queryparam/SPs, however on pulling the data back out double quotes may cause you trouble in text inputs(or single quotes if that's how you delimit your attributes in HTML).
Use HTMLEditFormat() to solve the problem with double quotes. Ade -----Original Message----- From: Mike Chabot [mailto:[EMAIL PROTECTED] Sent: 03 March 2005 19:03 To: CF-Talk Subject: Troublesome or Dangerous Form Submission Characters for SQL Are there any characters that a user could enter into a textarea form field that I should strip out before inserting the value into an MS SQL Server varchar field? Could these characters cause problems? semi-colon,&,*,+,-,--,?,%,_. To prevent SQL injection, I could strip out truncate, drop, insert, update, delete, and '--.' However, queryparam and the use of stored procedures should prevent SQL injection. Thank you, Mike Chabot -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 266.6.0 - Release Date: 02/03/2005 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:197311 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
