Thanks Mike for your advice it resolved the problem you're right it is not the url that is being passed.. the only strange thing is it works online is ther any explanation for it?
thanks alex >First of all, i'd suggest using CFQueryparam to help secure against >nasties in your SQL statement. Your query should be something like: > ><cfquery name="name" datasource="source"> >select name, id >from tblname >where id = <cfqueryparam value="#url.id#" cfsqltype="cf_sql_integer" /> ></cfquery> > >That doesnt answer your original question, but it will be essential >for you to protect yourself against someone changing the url variable >for that page to something like: > > >second.cfm?id=412'Drop table users' >or adding other SQL nasties to your URL. > >To you question. I think you should have a look at what's actually >being handed to your page. You THINK It's your ID, but maybe it's >not. Do a CFDUMP of the URL on the second.cfm page and see what's >being handed in after the URLEncoding happens. > ><cfdump var="#url#"><cfabort> > >somewhere in the second.cfm page will make the page stop at that point >and display for you exactly what's being passed to that page. It >might not be what you think it is. > > > Cheers >Mike Kear >Windsor, NSW, Australia >Adobe Certified Advanced ColdFusion Developer >AFP Webworks >http://afpwebworks.com >ColdFusion, PHP, ASP, ASP.NET hosting from AUD$15/month > > > >On 7/12/07, alex poyaoan <[EMAIL PROTECTED]> wrote: >> thanks ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Create Web Applications With ColdFusion MX7 & Flex 2. Build powerful, scalable RIAs. Free Trial http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJS Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:283529 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
