> -------------------E-MAIL-------------------------------- > Invalid data 1 and 1=convert(int,(select top 1 > char(97)+admin_password from tbl_adminusers)) for CFSQLTYPE > CF_SQL_INTEGER. <br>The error occurred on line 30.
.... > ---------------------E-MAIL------------------------ > > Is this a SQL injection attack? Anything I can do? Yes, that is a SQL injection attack attempt. You're already using CFQUERYPARAM which will protect you from the attack itself. If you want to stop the errors from coming up, you can operate on the input variable to force it to be a proper data format before passing it to the query. For ID fields (usually positive integers) I use... <cfset url.id = abs(val(trim(url.id))) /> This forces it to be a positive integer and sets it to zero if the input is textual (?id=blah for example) so the query will not error. In some cases we use <cfif not url.id><cflocation url="/" /></cfif> after the operating and before the query if we know for sure that there really should be a proper value passed. We've also seen Google pass large values to some ID URL's for some reason (?id=21456878753 for example) that causes an "out of range" type error, so use have strated wrapping some values with min(url.id, 2000000) to prevent those kinds of errors as well (only where the value would never be over 2000000 though). -Justin Scott ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Create robust enterprise, web RIAs. Upgrade to ColdFusion 8 and integrate with Adobe Flex http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJP Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:285490 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
