Easy. sp_executesql The point here is, you can spend a lifetime guessing every bad way a hacker can ruin your database. The root cause however is that your input is not bound to a parameter in your SQL statement. Cfqueryparam closes that hole for good. Whether you want to ban people IPs a and junk us up to you, but that can be a slipperly slope when you start banning legit people because they typed the word "execute" into a comments form.
~Brad -----Original Message----- From: Andy Matthews [mailto:[EMAIL PROTECTED] Sent: Monday, July 21, 2008 2:47 PM To: CF-Talk Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... I'm just talking about executing SQL, not SQL injection methods. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309385 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
