Also.. if you are using SQL server... Create a user in SQL server with the least amount of rights. NEVER USE THE SA ACCOUNT! Allow only select. Deny delete, insert, update if it is not needed. (Technically, you should never delete a record. Just mark it "no show" or something of that nature.) Use the created SQL server username for the datasource in ColdFusion Administrator.
-----Original Message----- From: Chad Gray [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 14, 2008 1:45 PM To: CF-Talk Subject: any ideas I would like to leave my Query open to take in any number of where statements. IE: <cfset arguments.clause = "JobID = 1"> <cfquery name="getJobs" datasource="#application.dsn#"> SELECT * FROM Jobs WHERE 1=1 <cfif len(arguments.clause)>AND #arguments.clause#</cfif> </cfquery> Of course the problem with doing this is SQL injection. Anyone have a good way of doing this and keep safe from SQL injection? Thanks! Chad ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;192386516;25150098;k Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:305279 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
