> Are you kidding??? I just replace form.lastname > with: " test'; DROP TABLE table; " > Poof, your data'z are gone
ColdFusion would escape that single quote, rendering this attempt pretty much useless and "data'z" would still be there. I'm not suggesting that you shouldn't use CFQUERYPARAM wherever possible, but it's not so simple to inject with a quoted string as it may seem at first glance (it can certainly be done). Now, if this were ASP.Net... -Justin Scott ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Create robust enterprise, web RIAs. Upgrade to ColdFusion 8 and integrate with Adobe Flex http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJP Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:285742 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4