If you are using 4.5 or above, you can use the cfqueryparam and that helps.
You can also do checks to see if your variables are integers or not(if that is what you are passing), you can also compare vars to make sure what you passed is whats there.. There are also many other things you can do.. HTH Clint -----Original Message----- From: Ian Lurie [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 10:17 AM To: CF-Talk Subject: Preventing SQL injection attacks...? Hi all, Had some interesting errors in our logs yesterday. It appears that someone's trying to hack our database by inserting SQL query language into the URL string. We're doing all the standard security measures, including filtering for single quotes, using database passwords, and the like, and we locked out their IP immediately. But really, how do you prevent this? Any ideas/feedback out there? Ian Portent Interactive Helping clients build customer relationships on the web since 1995 Consulting, design, development, measurement http://www.portentinteractive.com ______________________________________________________________________ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
