that actually wouldn't work because coldfusion automatically escapes single quotes inside strings inside cfquery.
But maybe this: <cfset NewPassword = "whatever" /> <cfset userid = "1 OR 1=1 --" /> <cfquery ...> UPDATE users SET pass = '#NewPassord#' WHERE userid = '#Userid#' </cfquery> But... your point is well made :) On Mon, Aug 17, 2009 at 9:22 AM, Peter Boughton<bought...@gmail.com> wrote: > > Not all injection tricks are based upon multi-statement SQL! > > Example bad code: > > <cfset NewPassword = "whatever" /> > <cfset Username = "bob' OR 1=1 --" /> > > <cfquery ...> > UPDATE users > SET pass = '#NewPassord#' > WHERE user = '#Username#' > </cfquery> > > > Using cfqueryparam will avoid this problem. > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:325501 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4