> S. Isaac Dealey wrote: >> >> There's no need to filter single or double quotes out of >> the form to prevent >> sql from erroring unless you're also using >> PreserveSingleQuotes() ... CF >> escapes single quotes automatically and since the string >> is bound by single >> quotes, double-quotes produce no errors. > > Unless you use a database that does not use just the > single quote as > escape character. What happens if your database uses a ~ > as escape > character and you have the following code: > > <cfset string="~'; DROP TABLE tablename --"> > <cfquery ....> > SELECT * FROM tablename WHERE field = '#string#' > </cfquery> > > It will result in the table being dropped, and CF will not > filter out > the DROP statement, even if you restricted its use (at > least in MX). > > Use cfqueryparam.
Given a db that uses ~ to bound string values instead of single or double quotes, this is ture, but then you would not be escaping the single or double-quotes, you would be escaping the ~ symbol. Generally speaking I would imagine that if they were using a db which used an unusual character to delimit strings like ~ they would know that, and they would be asking about that, rather than asking about single or double quotes ... But this does raise the question: does the queryparam tag know what the db uses as a string delimiter (as a result of drawing information from the db drivers i would imagine) or does it assume single quotes? If cfqueryparam assumes single quotes, then it won't help any more than trying to manually escape single or double quotes... I was under the impression also that single quotes were the standard for SQL string delimiters? Is SQL a standard? ... In which case it would make sense for the CF server to simply use what the standard specifies and not worry about non-standard databases or database servers. Isaac Dealey Certified Advanced ColdFusion Developer www.turnkey.to 954-776-0046 ______________________________________________________________________ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
