Sorry didn't see your question at the bottom. One thing that will definitely help is using CFQUERYPARAM to enforce datatype checks on your conditional statements.
http://livedocs.adobe.com/coldfusion/6.1/htmldocs/tags-b20.htm Also, consider writing code that will strip out certain commands from form variables that are being submitted and saved to your DB. You won't be able to catch every phrase but there are things to look out for. Check the CF-Talk archive for your topic for past examples of how to tackle this. Rey Rick King wrote: > Hey all, > > I just received this email that is generated when there is an error on a site > I built (www.woreitonce.com) > > -------------------E-MAIL-------------------------------- > Invalid data 1 and 1=convert(int,(select top 1 char(97)+admin_password from > tbl_adminusers)) for CFSQLTYPE CF_SQL_INTEGER. <br>The error occurred on > line 30. > Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 > Firefox/2.0.0.6 > 81.10.46.130 > > /Details.cfm > > ProdID=1%20and%201=convert(int,(select%20top%201%20char(97)%2badmin_password%20from%20tbl_adminusers)) > > ---------------------E-MAIL------------------------ > > Is this a SQL injection attack? Anything I can do? > > Thanks > Rick > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| ColdFusion is delivering applications solutions at at top companies around the world in government. Find out how and where now http://www.adobe.com/cfusion/showcase/index.cfm?event=finder&productID=1522&loc=en_us Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:285488 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
