I'm making certain assumptions but are you ensuring your "feedback" is clean when it's saved? If it's not, that'd explain how they're getting nastiness into the DB which is the called in that query.
If not, explain a little more of the attack as that query would not be susceptible to sql injection from the url. - Gabriel On Mon, Mar 22, 2010 at 7:04 AM, Anthony Doherty <[email protected]> wrote: > > I have a site page that is only using the query below and the site keeps > getting hit by SQL hacks. I have looked through every SQL query and all the > queries are using <cfqueryparam value="#URL.???#" cfsqltype="cf_sql_numeric"> > so they cant be hacked. > > Can someone explain how I can amend this query so its not hackable?? > > <cfquery name="RS1" datasource="DS1"> > SELECT FEEDBACK.ID, FEEDBACK.FEEDBACK, FEEDBACK.LEFT_BY, County.County, > County.ID > FROM FEEDBACK INNER JOIN > County ON (FEEDBACK.COUNTY = County.ID) > </cfquery> > > Thanks > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:331931 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
