Ben, Seeing as how this type of sql injection attack is succeeding so much (even my favorite fishing website has been down for days due to it (it is a .cfm site))... how about changing cfquery so that by default, only ONE sql statment can be sent. Let us override that with a parameter in cfquery or a cfprocessing driective type of thing in our application.cfm..
I doubt many people use multiple sql statements in one cfquery, and those that do are probably advanced enough to know to add the parameter for allowing it.. You can call this enhancement request cf_trainingWheels How many people out there group together (intentionally) multiple sql statements in one cfquery? (Like "select email from users where id=1; drop table users") Al ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309696 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4