>> >> Anything and everything received from external, untrusted sources must >> be considered suspect.
I'd add that even if you might not have to worry about a security breach, you still probably want to scrub such variables to prevent errors from being generated (if for instance you expect it to be a numeric value) as anything on the URL (if forward-facing) is going to get a constant barrage of garbage against it that can load your logs up with errors if you aren't handling them. --- Mary Jo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:341136 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm