I developed a web site for a client where they will post images of

Question

0

Asked: May 31, 20262026-05-31T06:46:53+00:00 2026-05-31T06:46:53+00:00

I developed a web site for a client where they will post images of

0

I developed a web site for a client where they will post images of their merchandise online. The url is www.domiainname.com/item-details.cfm?sku=125. Someone tried browsing to www.domiainname.com/item-details.cfm?sku=125%20and%203=3 which produced and error in which I’m notified.

I’ve also received error reports of:

item-details.cfm?sku=1291+or+1=@@version-- 
item-details.cfm?sku=1291'+or+1=@@version 
item-details.cfm?sku=1291+or+1=@@version

The last three examples are definitely of someone trying to get into the system, right?

If we converted this to be stored procedures, would that reduce or eliminate the risk of insertion attacks?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-31T06:46:54+00:00

Editorial Team

2026-05-31T06:46:54+00:00Added an answer on May 31, 2026 at 6:46 am

Yes, it appears that someone is being malicious.

Using cfqueryparam will prevent SQL-injection attacks. When in doubt (and it’s CF), ask Ben:

SQL Injection Attacks, Easy To Prevent, But Apparently Still Ignored

Example:

<cfquery ...>
    SELECT    *
    FROM      Products
    WHERE     SKU=<cfqueryparam value="#URL.SKU#" cfsqltype="CF_SQL_INTEGER">
</cfquery>

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I developed a web site for a client where they will post images of

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply