Hi Jason, My fault in being too terse. I just used where and order by to give a sense of the syntax of argumentcollection (and I realize now as I look, even that is wrong!
Syntax should be: Local.UserList = UserService.Find(argumentcollection=Local.MyValues); As for SQL injection, you REALLY need to have everything queryparam'd on a parameter by parameter basis. You can run RegEx's to get out the silly stuff (alphas against a numeric or boolean field, etc.) but while I've seen a lot of attempts, I've never seen a compelling set of RegEx's to truly stop any possible SQL injection attack. If you have the option, you may also want to pass the parameters to a stored procedure. Best Wishes, Peter -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Daiger Sent: Monday, June 26, 2006 1:01 PM To: CFCDev@cfczone.org Subject: RE: [CFCDev] Question About Invoking/Creating CFC Objects Peter, Assume some of the search criteria is coming from a user search form. Do you worry this type of approach leaves you open to SQL injection attacks? If not, why? If so, how do you protect against them? The below example shows what I'm thinking when asking the question. E.g. <form.searchCriteria = "'1=1; DELETE FROM users;"> <cfset var local = NewStruct()> <cfscript> Local.MyValues.Where = form.searchCriteria; Local.MyValues.OrderBy = "whatever else"; Local.UserList = UserService.Find(Local.MyValues); </cfscript> -Jason -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Bell Sent: Monday, June 26, 2006 12:12 PM To: CFCDev@cfczone.org Subject: RE: [CFCDev] Question About Invoking/Creating CFC Objects Hi Aaron, You pass in a struct and it matches the names of the keys within the struct to the names of the arguments to the method. So if you have a method with arguments like Where and OrderBy you'd call it like this: <cfset var local = NewStruct()> <cfscript> Local.MyValues.Where = "LastName LIKE 'B%'"; Local.MyValues.OrderBy = "whatever else"; Local.UserList = UserService.Find(Local.MyValues); </cfscript> Best Wishes, Peter -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Roberson Sent: Monday, June 26, 2006 12:01 PM To: CFCDev@cfczone.org Subject: Re: [CFCDev] Question About Invoking/Creating CFC Objects Thanks Matt and Peter for that extra info. It is always great to find out what other programmers are doing in their CFCs. Peter, when using argument collection, does it pass named-value pairs to the method? -Aaron On 6/23/06, Peter Bell <[EMAIL PROTECTED]> wrote: > > > Hi Matt, > > > You're right. Filtering is a great use case for a generic method. I > considered mentioning that case (I like how you don't let me get away > with being TOO sloppy in my postings!). I also have a special > get%EntityName%ListBySearch() method (e.g. getUserListBySearch) that > allows a collection of arguments. It loops through the arguments, > compares them to a list of valid field names, checks the types, > validates any other preconditions for the filters and then passes it > all into a generated SP with a set of optional parameters for each > field which returns n-records per page of the result set. > > OK, girlfriend calling - must turn back into a normal person :-> Have > a great Friday night everyone! > > Best Wishes, > Peter > > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Matt Williams > Sent: Friday, June 23, 2006 6:56 PM > To: CFCDev@cfczone.org > Subject: Re: [CFCDev] Question About Invoking/Creating CFC Objects > > > Hey Peter, several of my cases have 4-5 search fields available to the > user (Customer ID #, First name, last name, company name, city, ...). > So I find the Uber Search function easier to use because in it I can > test for values in each of these fields and include an "AND FirstName > LIKE <cfqueryparam>..." statement in the WHERE clause. > > I guess it depends on the need. > > -- > Matt Williams > "It's the question that drives us." > ---------------------------------------------------------- > You are subscribed to cfcdev. To unsubscribe, send an email to > cfcdev@cfczone.org with the words 'unsubscribe cfcdev' as the subject > of the email. > > CFCDev is run by CFCZone (www.cfczone.org) and supported by CFXHosting > (www.cfxhosting.com). > > An archive of the CFCDev list is available at > www.mail-archive.com/cfcdev@cfczone.org > ---------------------------------------------------------- > You are subscribed to cfcdev. To unsubscribe, send an email to > cfcdev@cfczone.org with the words 'unsubscribe cfcdev' as the subject > of the email. > > CFCDev is run by CFCZone (www.cfczone.org) and supported by > CFXHosting (www.cfxhosting.com). > > An archive of the CFCDev list is available at > www.mail-archive.com/cfcdev@cfczone.org ---------------------------------------------------------- You are subscribed to cfcdev. To unsubscribe, send an email to cfcdev@cfczone.org with the words 'unsubscribe cfcdev' as the subject of the email. CFCDev is run by CFCZone (www.cfczone.org) and supported by CFXHosting (www.cfxhosting.com). An archive of the CFCDev list is available at www.mail-archive.com/cfcdev@cfczone.org ---------------------------------------------------------- You are subscribed to cfcdev. To unsubscribe, send an email to cfcdev@cfczone.org with the words 'unsubscribe cfcdev' as the subject of the email. CFCDev is run by CFCZone (www.cfczone.org) and supported by CFXHosting (www.cfxhosting.com). An archive of the CFCDev list is available at www.mail-archive.com/cfcdev@cfczone.org ---------------------------------------------------------- You are subscribed to cfcdev. To unsubscribe, send an email to cfcdev@cfczone.org with the words 'unsubscribe cfcdev' as the subject of the email. CFCDev is run by CFCZone (www.cfczone.org) and supported by CFXHosting (www.cfxhosting.com). An archive of the CFCDev list is available at www.mail-archive.com/cfcdev@cfczone.org ---------------------------------------------------------- You are subscribed to cfcdev. To unsubscribe, send an email to cfcdev@cfczone.org with the words 'unsubscribe cfcdev' as the subject of the email. CFCDev is run by CFCZone (www.cfczone.org) and supported by CFXHosting (www.cfxhosting.com). An archive of the CFCDev list is available at www.mail-archive.com/cfcdev@cfczone.org
