Are you kidding??? I just replace form.lastname with: " test'; DROP TABLE table; "
Poof, your data'z are gone Or, if you really wanna get tricky and someone has debugging turned on, or you can guess field / table names: Lets say you have a fName and lName column outputting a list, and I can figure that out Now I replace form.lastname with this: " test'; SELECT credit_card_num as fName, expireDate as lName FROM creditCards; " Now instead of seeing a firstname / lastname directory, I see a list of all your credit cards in the database =) ALWAYS use cfqueryparam, or clean the crap out of any incoming variables to ensure they are not being exploited. Chris Peterson Gainey IT Adobe Certified Advanced Coldfusion Developer -----Original Message----- From: Rick Schmitty [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 08, 2007 2:57 PM To: CF-Talk Subject: cfquery: quotes vs queryparam Is there anyway for someone to hack a quoted query? <cfquery> select * from table where name='#form.lastname#' </cfquery> vs <cfquery> select * from table where name=<cfqueryparam cfsqltype="cf_sql_varchar" maxlength="255" value="#form.lastname#"/> </cfquery> Seems anything I throw at the quoted query gets escaped correctly... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Get involved in the latest ColdFusion discussions, product development sharing, and articles on the Adobe Labs wiki. http://labs/adobe.com/wiki/index.php/ColdFusion_8 Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:285734 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4