On Thu, Sep 23, 2010 at 11:24 AM, Russ Michaels <[email protected]> wrote: > > That applies across the board Rick, to any sql in any code on any site. If
No, it certainly doesn't. If you write the SQL, they can't post additional form fields that you're not expecting and have them get into your SQL statement. > You can SCAN the FORM scope and simply remove anything that shouldn't be > there or simply do not execute the SQL code if you think the request did not > come form the original form. Well sure but that kinda defeats the purpose of the simplicity of these tags. Rick ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:337393 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
