I also use this to get the new key on inserted records, and have used cfqueryparam for years to protect against this sort of attack, and for performance reasons.
Functionality shouldn't be sacrificed just to protect careless developers from themselves. John -----Original Message----- From: Dave Francis [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2008 12:16 PM To: CF-Talk Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta I find it useful on occasion with INSERT then SELECT @IDENTITY -----Original Message----- From: Al Musella, DPM [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2008 12:05 PM To: CF-Talk Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta Ben, Seeing as how this type of sql injection attack is succeeding so much (even my favorite fishing website has been down for days due to it (it is a ..cfm site))... how about changing cfquery so that by default, only ONE sql statment can be sent. Let us override that with a parameter in cfquery or a cfprocessing driective type of thing in our application.cfm.. I doubt many people use multiple sql statements in one cfquery, and those that do are probably advanced enough to know to add the parameter for allowing it.. You can call this enhancement request cf_trainingWheels How many people out there group together (intentionally) multiple sql statements in one cfquery? (Like "select email from users where id=1; drop table users") Al ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309699 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
