i was looking through the archives and it seems as if it's taboo to actually explain how this hack works, but everybody who knows talks about having solved it... i heard something about putting a val() function or something like that around all the text inside your cfquery tags..or was it each value begin sent to the sproc.. i've never tried that, does it work? at my work we use only stored procedures, and it seems that even when the sprocs use dynamic sql themselves, I am unable to sneak in and extra sql statement to drop a table or whatever. I think this hack only works in a command line type interface like cfquery. I have tried putting in quotes and all sorts of stuff and even when it looks right, and doesn't throw an error, it doesn't execute. however, i can still sneak one in after the EXEC statement by appending it to the last parameter passed to the sproc. all a person needs to know that is some debug info or time to guess. So how do i stop this? the easy way seemed to be to go to the datasource in the cfadministrator and restrict sql operations to stored procedures only. But when I do this, it rejects my EXEC statements telling me that only SELECT,INSERT,UPDATE,DELETE and CALL are recognized commands or something like that. So what is CALL for, and does checking stored procedures there in the admin restrict you to (the miserably failing) cfstoredproc tag or is CALL for calling sprocs? thanks in advance ----------------------------------------------------- Ken Beard Manager, Application Development Stone Ground Solutions 5100 West Kennedy Blvd, Suite 430 Tampa FL 33602 813.387.1235 voice 866.767.4051 toll free 813.387.1237 fax www.stoneground.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
