Few things:
1) Set up the CFQUERY Statement to use a username/pass that only does things
you like in the database (basically give it your choice of SELECT, INSERT,
UPDATE, DELETE rights), you are using a Enterprise level database aka SQL 7
or Oracle now aren't you?
2) At the CF Level, you can build your statements to check for malicous
statements as such. If I recall correctly somebody built a custom tag to do
all that searching for you, check it out at the allaire development exchange
(http://ww.allaire.com).
Gregory Harris
Web Developer
Stirling Bridge Group LLC
----- Original Message -----
From: "Kevin Schmidt" <[EMAIL PROTECTED]>
To: "CF-Talk" <[EMAIL PROTECTED]>
Sent: Monday, November 13, 2000 10:41 AM
Subject: Security and SQL
> I pass a few values through URL variable that I use in where clauses in my
> SQL. I want to prevent someone from passing malicious SQL through that
> value. What are my options??
>
> Kevin Schmidt
> Internet Services Director
> PWB Integrated Marketing and Communications
> Office: 734.995.5000
> Mobile: 734.649.4843
>
>
>
> --------------------------------------------------------------------------
----------------------
> Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
> Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send
a message with 'unsubscribe' in the body to
[EMAIL PROTECTED]
>
>
------------------------------------------------------------------------------------------------
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send a message
with 'unsubscribe' in the body to [EMAIL PROTECTED]
