S. Isaac Dealey wrote: >>Can anyone recommend a good way to filter " ' etc out of forms so on the >>action page the SQL does not crash? > > There's no need to filter single or double quotes out of the form to prevent > sql from erroring unless you're also using PreserveSingleQuotes() ... CF > escapes single quotes automatically and since the string is bound by single > quotes, double-quotes produce no errors.
Unless you use a database that does not use just the single quote as escape character. What happens if your database uses a ~ as escape character and you have the following code: <cfset string="~'; DROP TABLE tablename --"> <cfquery ....> SELECT * FROM tablename WHERE field = '#string#' </cfquery> It will result in the table being dropped, and CF will not filter out the DROP statement, even if you restricted its use (at least in MX). Use cfqueryparam. Jochem ______________________________________________________________________ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
