> if you're using SQL server 7 you should _always_ use Val() in
> CFQUERY tags when expecting an integer because if your CFQUERY says:
>
> SELECT foo
> FROM bar
> WHERE id=#url.id#
>
> and someone changes the URL from:
> www.mysite.com/qwe.cfm?id=1
> to
> www.mysite.com/qwe.cfm?id=1;delete%20from%20bar
> then what gets thrown to the dB is:
>
> SELECT foo
> FROM bar
> WHERE id=1;delete from bar
>
> and sql server 7 treats this as 2 valid sql statements and runs it....
>
> You should write:
>
> SELECT foo
> FROM bar
> WHERE id=#Val(url.id)#
Actually, you should CFQueryParam
SELECT foo
FROM bar
WHERE id=<CFQueryParam value="#URL.ID#" CFSQLType="CF_SQL_INTEGER">
Philip Arnold
Director
Certified ColdFusion Developer
ASP Multimedia Limited
T: +44 (0)20 8680 1133
"Websites for the real world"
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
**********************************************************************
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
