That's not SQL injection, it's HTML injection. (Or XSS as the fashionable term is).
You need to use HtmlEditFormat (or similar function) to ensure all content output to HTML pages gets appropriately escaped. (If you need to allow certain HTML, escape it all, and then unescape only the safe whitelist.) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:331933 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm