I also like to use val() on any integer like your ProdID appears to be an integer.
This way val() will take text and convert it to 0. But yes use your CFQueryParams! This is the best line of defense. -----Original Message----- From: Rick King [mailto:[EMAIL PROTECTED] Sent: Monday, August 06, 2007 11:56 AM To: CF-Talk Subject: SQL injection hack? Hey all, I just received this email that is generated when there is an error on a site I built (www.woreitonce.com) -------------------E-MAIL-------------------------------- Invalid data 1 and 1=convert(int,(select top 1 char(97)+admin_password from tbl_adminusers)) for CFSQLTYPE CF_SQL_INTEGER. <br>The error occurred on line 30. Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6 81.10.46.130 /Details.cfm ProdID=1%20and%201=convert(int,(select%20top%201%20char(97)%2badmin_password%20from%20tbl_adminusers)) ---------------------E-MAIL------------------------ Is this a SQL injection attack? Anything I can do? Thanks Rick ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Get involved in the latest ColdFusion discussions, product development sharing, and articles on the Adobe Labs wiki. http://labs/adobe.com/wiki/index.php/ColdFusion_8 Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:285492 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
