>The qpscanner is ok in general but I want something that will only get >me numeric variables that are not in a cfqueryparam.
That is not enough to protect you! It is not hard to create injection attacks that bypass CF's auto-doubling of quotes. qpscanner deliberately errs on the side of paranoia, because it only takes one small hole for an attacker to get in and cause havoc. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329661 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4