> I have a site page that is only using the query below and the site > keeps getting hit by SQL hacks. I have looked through every SQL query > and all the queries are using <cfqueryparam value="#URL.???#" > cfsqltype="cf_sql_numeric"> so they cant be hacked. > > Can someone explain how I can amend this query so its not hackable?? > > <cfquery name="RS1" datasource="DS1"> > SELECT FEEDBACK.ID, FEEDBACK.FEEDBACK, FEEDBACK.LEFT_BY, County. > County, County.ID > FROM FEEDBACK INNER JOIN > County ON (FEEDBACK.COUNTY = County.ID) > </cfquery> > > Thanks
Where are you using cfqueryparam above? With "County.ID"? What are they doing to "hack" your site? Can you give an example? You can use IsValid before your query as well: <cfif isValid("integer", form.value)> Your Query Here </cfif> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:331930 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm