Or just pass it through cfqueryparam like you pretty much always should anyway.
-----Original Message----- From: Matt Quackenbush [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 22, 2008 3:03 PM To: CF-Community Subject: Re: As the ColdFusion World Turns On Jan 22, 2008 1:39 PM, Shawna Hampton wrote: > <cfset yourList = ValueList(yourQuery.blah) /> > > WHERE otherBlah IN (#preserveSingleQuotes(yourList)#) > IMO, #preserveSingleQuotes()# should never be used in a query. Doing so opens your database up to all sorts of SQL Injection attacks. The only possible exception to this is if you have a list that has been generated strictly by your code, without any possibility of it being manipulated by an outside source. And even then I would question it greatly. HTH :-) Matt ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Community/message.cfm/messageid:251607 Subscription: http://www.houseoffusion.com/groups/CF-Community/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.5
