I guess I should also add that if hackers are seeing useful errors reported back to them you have a couple more problems besides sql injection showing unintended data in your normal query output.
1. Your queries are not wrapped with cftry - cfcatch. 2. Your queries are not cfqueryparam'd. 3. Your website is not showing a custom error template with a cleaned up user friendly hacker safe message. 4. Client supplied data is not scrubbed for safeness and problems reported in a user friendly way. Others suggested cfqueryparam'ing your queries, but while this will prevent sql injection, you still have ugly errors with possibly useful information presented to the hacker. Fixing the above 3 problems will get you a safer website and the 4th a nice user experience should a normal user make a mistake. CoolJJ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Create Web Applications With ColdFusion MX7 & Flex 2. Build powerful, scalable RIAs. Free Trial http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJS Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:280647 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4