> <cfparam name="url.id" default="0; delete from myTable;"> > <cfquery ... > select * from myTable where id=#url.id# </cfquery> > > If I'm not mistaken - that would only work in SQL Server, right? > > cuz only SQL server lets you pass through multiple queries > all at once.
Well, it's a bit more complicated than that. The ability to batch SQL commands depends on database drivers, not the actual database, I think. Also, not all SQL injection attacks rely on SQL batching - some involve causing database errors, some involve comments, etc. Google "second-order SQL injection" for more info. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 & MX7 integration & create powerful cross-platform RIAs http:http://ad.doubleclick.net/clk;56760587;14748456;a?http://www.adobe.com/products/coldfusion/flex2/?sdid=LVNU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:269070 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
