On 2/7/07, Dave Watts <[EMAIL PROTECTED]> wrote: > > > Escaping quotes does make SQL injection a little harder, but far from > impossible.
<cfparam name="url.id" default="0; delete from myTable;"> <cfquery ... > select * from myTable where id=#url.id# </cfquery> If I'm not mistaken - that would only work in SQL Server, right? cuz only SQL server lets you pass through multiple queries all at once. Rick ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 & MX7 integration & create powerful cross-platform RIAs http:http://ad.doubleclick.net/clk;56760587;14748456;a?http://www.adobe.com/products/coldfusion/flex2/?sdid=LVNU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:269068 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
