I don't know how many times we've seen the subject of this thread over the last few years but it generally ends with Jochem blowing holes in every type of contrived SQL injection protection and the general consensus ends up being if you are worried about SQL injection, use CFQUERYPARAM.
For XSS then you really should be looking at using HTMLEditFormat() and HTMLCodeFormat() to make any user submitted content safe. Take a look at some resources that others have posted to this list before: http://www-106.ibm.com/developerworks/linux/library/l-sp2.html#IDADE4KC http://www.unixwiz.net/techtips/sql-injection.html If you don't want to go down the futile path of chasing down every attack and bolting the door afterwards, just use the built in features of the CF language. You may see errors on your site if you only employ these features when your site is attacked but if someone is trying to hack your site using SQL injection or XSS techniques why would you expect (or want) it to work correctly because it shouldn't! Some errors are good errors... Every time I get a value is not of type CF_SQL_INTEGER error, I look at their attack from the error dump, invariably smile at the fact that CFQUERYPARAM has saved the day *again* and chalk one up for the good guys. Paul ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Get involved in the latest ColdFusion discussions, product development sharing, and articles on the Adobe Labs wiki. http://labs/adobe.com/wiki/index.php/ColdFusion_8 Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:285546 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4