But Billy has been told to turn: SET myValue = #someOtherQuery.someOtherValue#
into: SET myValue = #FORM.someOtherValue# because Nigel in accounts wants to do his own thing. If cfqp is in place, Billy will leave it there. He might not add it if it's not! Poor Billy... -----Original Message----- From: Claude Schneegans [mailto:[EMAIL PROTECTED] Sent: 24 July 2008 14:54 To: CF-Talk Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... >>and Billy New-Developer comes along and decides that someOtherQuery.someOtherValue could really do with coming directly from the user? Will he add the cfqp if it's not already there? This is irrelevant, because: 1. if both fields are numeric, there is no possibility OtherQuery.someOtherValue can contain anything harmful; 2. if both fields are text, CFQUERYPARAM won't detect anything harmful and won't help anyway. 3. if both fields have different types, then you should have fire your db administrator, or your developer, or both, a long time ago ;-) in this case, the least you should do is to check the compatibility of values BEFORE running the query, and eventually make the appropriate conversion. -- _______________________________________ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: [EMAIL PROTECTED]) Thanks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309588 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
