> How can it be processed when USER_ID in database is > specified for LENGHT 15 and USER_ID with Hacker code has > lenght like 100?
For the purpose of preventing SQL injection, the length of the field in your prepared statement doesn't matter. It is enough for it to be a prepared statement, which you build in CF using CFQUERYPARAM. Without it, the database has no idea which parts of the query are supposed to be executable SQL, and which parts are supposed to be data. In a successful SQL injection attack, the value that's injected would be more than just your USER_ID value; it would also contain executable SQL code, and your database would simply execute the code; it would not assume that this code is supposed to be part of your USER_ID value. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309665 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
