One basic thing you can do is place an #Int()# function in the query on any
values that the user has control of that are supposed to be numeric, or
check them in advance with #IsNumeric()# or soemthing. This will keep them
from passing a subquery as part of the request. So having it in a query
like..
SELECT This FROM That
WHERE ID = #Int(URL.ID)#
..always a good idea.
_______________________________________
Justin Scott :: [DtDNS Administrator]
http://www.dtdns.com
----- Original Message -----
From: "Kevin Schmidt" <[EMAIL PROTECTED]>
To: "CF-Talk" <[EMAIL PROTECTED]>
Sent: Monday, November 13, 2000 10:41 AM
Subject: Security and SQL
> I pass a few values through URL variable that I use in where clauses in my
> SQL. I want to prevent someone from passing malicious SQL through that
> value. What are my options??
>
> Kevin Schmidt
> Internet Services Director
> PWB Integrated Marketing and Communications
> Office: 734.995.5000
> Mobile: 734.649.4843
>
>
>
> --------------------------------------------------------------------------
----------------------
> Archives: http://www.mail-archive.com/[email protected]/
> Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send
a message with 'unsubscribe' in the body to
[EMAIL PROTECTED]
>
------------------------------------------------------------------------------------------------
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send a message
with 'unsubscribe' in the body to [EMAIL PROTECTED]
