Closing the apostrophe is exactly how SQL injection occurs with text field and if you are using MySQL it is a very real possibility.
~Brad ----- Original Message ----- From: "Claude Schneegans" <[EMAIL PROTECTED]> To: "CF-Talk" <[email protected]> Sent: Thursday, July 24, 2008 11:12 AM Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... > >>ANY string passed into cfqueryparam cannot be executed as SQL: > > Is it really possible to get an SQL statement executed from a string for > a text field > without closing the string first with an apostrophe? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309623 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
