I don't think that hurts anything as long as you use a val() statement
val(90;''%20DROP%20TABLE%20IMAGES) is still going to be 90
The worst case scenario is that you will throw a cf error because of syntax
but that doesn't hurt anything.
Even if they use seldir=90);......
it won't matter because you are feeding in a literal to the val function not
building a sql string with it.
The whole point is you have cf do SOMETHING with the value before you tack
it on to your odbc string.
----- Original Message -----
From: "Michael Lugassy" <[EMAIL PROTECTED]>
To: "CF-Talk" <[EMAIL PROTECTED]>
Sent: Friday, July 06, 2001 8:12 AM
Subject: Re: URL Hacks (even more)
> What about people who write something like this:
>
> http://www.vawter.com/slideshow.cfm?seldir=90;'%20DROP%20TABLE%20IMAGES
> or
> http://www.vawter.com/slideshow.cfm?seldir=90;''%20DROP%20TABLE%20IMAGES
>
> ' or '' between/after/in middle the URL, thus closing the first condition
and opening a new statment??
>
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
