What kind of DB were you using? I still haven't seen a good example of a sql query injection in CF since CF auto escapes single quotes.
Russ > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Wednesday, January 23, 2008 11:26 AM > To: CF-Talk > Subject: Owned by Rootdamages by FasT > > One of the site's I'm working on had a SQL break-in on an old application. > The url scope passed an integer and the where statement in the cfquery > wasn't > protected by cfqueryparam. I've added cferror to this application as well > so > a hacker can't see the standard cf error message. Is there anything else > I can > do to tighten this issue down? Just want to make sure. > > Thanks > > D > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297165 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
