That is more a function of the db. I know that by default, MySQL does not allow multiple sql statements. You have to change a setting to allow this.
I suppose this could be added to CF as well, but it would have to allow multiples by default, so that it would be backwards compatible. So you'd still have to remember to switch it off. -- Josh ----- Original Message ----- From: "Al Musella, DPM" <[EMAIL PROTECTED]> To: "CF-Talk" <[email protected]> Sent: Friday, July 25, 2008 9:04 AM Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta > Ben, > Seeing as how this type of sql injection attack is succeeding so > much (even my favorite fishing website has been down for days due to > it (it is a .cfm site))... > how about changing cfquery so that by default, only ONE sql > statment can be sent. Let us override that with a parameter in > cfquery or a cfprocessing driective type of thing in our application.cfm.. > > I doubt many people use multiple sql statements in one cfquery, and > those that do are probably advanced enough to know to add the > parameter for allowing it.. > > You can call this enhancement request cf_trainingWheels > > > How many people out there group together (intentionally) multiple sql > statements in one cfquery? (Like "select email from users where > id=1; drop table users") > > Al > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309701 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
