Well, three actually. First - whenever you use URL paramters - you should do everything possible to validate them. For example - imagine your script expects a url variable, ID, and it should be numeric. Your validation should...

Ensure it exists.
Ensure it's numeric.
Ensure it's greater than 0 (assuming the value represents a ID in your database) Ensure it represents a record in your database (ie, fetch where id = url.id and check record count)
And lastly, check to make sure the current user has permissions to view that record.

As an example of a site that does not do this - check out this error:

ODBC Error Code = 22005 (Error in assignment)

[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value 'a21' to a column of data type int.

SQL = "SELECT ListID, catsdesc FROM dbo.catlist Where ListID = 'a21'"

Data Source = "SECTION508"

The error occurred while processing an element with a general identifier of (CFQUERY), occupying document position (30:1) to (30:45) in the template file D:\SEFLINSITES\WWWSECTION508\LIST.CFM.

Query String: Cat=a21

This error was generated by changing a url parameter, cat, from 21 to a21. This completely throws off the script. Now let's get to the two security issues.

First - notice the full path in the error message?


This can be used by a hacker to gain information about your file system. It's not a security hole by itself per se, but it acts as an aid to someone trying to harm your server. This can be turned off by going to your CFMX admin and turning off this option: Enable Robust Exception Information

Also notice that the error message mentions SQL Server. If someone had recently discovered a security issue with SQL Server, this error message would give me details on ways I could attack the server. Again, this is very easy to fix. At best, you would fix the template itself. However, if you don't have time for that, at least set the site-wide error handler (again, in the CF admin) so that any errors will send users to either your home page or some other page instead. Anything is better than showing an error to your user.