That applies across the board Rick, to any sql in any code on any site. If you have not taken measures to stop that kind of thing then you are vulnerable regardless. But it is just as easy to put a stop to that if your using cfinsert and cfupdate. You can SCAN the FORM scope and simply remove anything that shouldn't be there or simply do not execute the SQL code if you think the request did not come form the original form.
Russ -----Original Message----- From: Rick Root [mailto:rick.r...@gmail.com] Sent: 23 September 2010 16:21 To: cf-talk Subject: Re: cfinsert/cfupdate It seems to me that using cfinsert and cfupdate is a security risk. I mean, what if I wrote a script to post the form with additional form fields? I mean, people don't always know your db structure but they can guess at things sometimes. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:337388 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm