> I considered wrapping the cfqueries in a generic try-catch, > but I don't want to lose potentially valid errors in that > catch. I'm not sure how I could differentiate between an > injection attack and a potentially legitimate error.
In most cases you can wrap the variable with abs(val(trim())) and it will guarantee that a positive integer or zero gets passed into the queryparam, avoiding the error. Example: <cfqueryparam ... value="#abs(val(trim(url.id)))#"> This isn't a catch-all, but can be used where you're selecting based on a non-zero, positive integer. -Justin Scott | GravityFree Network Administrator 1960 Stickney Point Road, Suite 210 Sarasota | FL | 34231 | 800.207.4431 941.927.7674 x115 | f 941.923.5429 www.GravityFree.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Download the latest ColdFusion 8 utilities including Report Builder, plug-ins for Eclipse and Dreamweaver updates. http;//www.adobe.com/cfusion/entitlement/index.cfm?e=labs%5adobecf8%5Fbeta Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:286761 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
