Yeah and some over smart ones could create worst problems by using "...WHERE 1=1" in Where clauses or by injecting SQLs which they should not.
But if the requirement is like that make sure the permissions of the APP user executing these commands are limited to cause any problems..:) Thanks. -Sandy Vohra -----Original Message----- From: Matthew Sievert [mailto:[EMAIL PROTECTED] Sent: Monday, September 25, 2006 3:39 PM To: CF-Newbie Subject: RE: Executing a user input query Are you ABSOLUTELY sure you want your users this type of access to your data? I have worked on projects where this type of functionality has been present. The results ranged from slightly annoying to, completely having to restore the tables from a back up. Please remember that not many average users are adept at formulating well qualified SQL statements. > -----Original Message----- > From: Rob Harrington [mailto:[EMAIL PROTECTED] > Sent: Monday, September 25, 2006 2:22 PM > To: CF-Newbie > Subject: Re: Executing a user input query > > All set - figured it out myself... > > > > > I am creating a page that allows a user to write and submit their own > > SQL query via a form textarea with the data being returned on the page. > > So far I have been pretty successful except that when a user inputs a > > query with a WHERE clause that references a char column type (i.e. > > select * from Exchanges WHERE country = 'USA') it doesn't work. > > However when the WHERE clause references a numeric column (i.e. select > > * from Exchanges WHERE exchangeID=5) it works fine. Could this have > > something to do with the quotes? How can I handle this? Here is a > > snippet of my code: > > > ................ > > > > > > <form method="post" name="formQuery" action="InputSQL.cfm"> > > <input type="hidden" value="DoMyQuery" name="MyQuery"> > > <textarea style="overflow:auto" name="sqlquery" rows="8" > > cols="100"></textarea><br /><br /> > > <input type="submit"> > > </form> > > > > <cfif form.MyQuery eq "DoMyQuery"> > > <cfset thequery = form.sqlquery> > > <cfoutput>#thequery#</cfoutput> > > <!--- executes the query---> > > <cfquery datasource="MarketData" name="GetData"> > > #form.sqlquery# > > </cfquery> > > > ...................... > > > > > > Thanks for any help... > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Newbie/message.cfm/messageid:2098 Subscription: http://www.houseoffusion.com/groups/CF-Newbie/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.15
