Maybe this has already been mentioned and I just didn't see it, but have you considered using something like FuseGuard?
http://foundeo.com/security/ I suggest it because we had a client who was running on some old CF code (without cfqueryparam's) and they were getting SQL injected frequently. Instead of rewriting every query to use <CFQUERYPARAM> for every variable (the site was rather large) we installed FuseGuard and saved a LOT of time. Not only did it block the attacks without a major rewrite, it also provided a lot of information about what attack vectors the bad guys were using. It was very useful and well worth the cost. Just trying to be helpful. ;) Warm regards, Jordan Michaels Vivio Technologies http://www.viviotech.net/ 509.593.4207 x 1001 On 05/25/2011 12:42 PM, Michael Dinowitz wrote: > > I'm holding off turning the site back on until I finish a code review. I > want to make sure that there are no unexpected holes. > > > > On Wed, May 25, 2011 at 3:27 PM, Michael Muller<mich...@mullertech.com>wrote: > >> >> Is the website down? >> >> MM >> >> >> -------- >> Michael Muller >> cell (413) 320-5336 >> http://MontagueWebWorks.com >> ** Powered by ROCKETFUSION ** >> >> Information is not knowledge >> Knowledge is not wisdom >> >> Eschew Obfuscation >> >> >> >> > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:344899 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm