Of course, Macromedia recommends that you *always* use CFQUERYPARAM within
CFQUERY; from the CFML Reference for CFMX (the exact same wording is in the
CF5 docs):
"Macromedia recommends that you use the cfqueryparam tag within
every cfquery tag, to help secure your databases from unauthorized users."
Therefore, if you follow best security practices as recommended by
Macromedia (everyone does, right?) then the question of auto-escaping single
quotes within CFQUERY is a non-issue. If you're not following best security
practices, well...
Vince Bonfanti
New Atlanta Communications, LLC
http://www.newatlanta.com
> -----Original Message-----
> From: Sean A Corfield [mailto:[EMAIL PROTECTED]
> Sent: Sunday, June 15, 2003 2:06 AM
> To: CF-Talk
> Subject: Re: CFMX,BD... the question on many minds...
>
>
> On Saturday, Jun 14, 2003, at 22:18 US/Pacific, Rafael Alan Bleiweiss
> wrote:
> > OK - so after all that I've read, I still sit here with a
> fifty fifty
> > issue, EXCEPT - Did I read correctly? BD's CFQUERY does
> NOT natively
> > allow escaping single-quotes?
>
> This is from New Atlanta's Compatibility Guide:
>
> "3.3.8.2 Escaping Single Quote Characters
>
> BlueDragon does not "escape" single-quote characters within CFML
> variables when those variables are used to create SQL
> statements within
> CFQUERY tags. For example, the following will cause a
> database error on
> BlueDragon but not CF5:
>
> <CFSET EmployeeName="O'Neil">
>
> <CFQUERY NAME="employees" DATASOURCE="MyCompany">
> SELECT * FROM Employees
> WHERE LastName = '#EmployeeName#'
> </CFQUERY>
>
> For this to work properly on BlueDragon, you must use the
> CFQUERYPARAM
> tag..."
>
> > From the BD compatability
> > chart, all looked excellent for me to migrate until I read
> that about
> > single quotes...
>
> Yes, the chart gives a high-level overview but you really
> need to read
> the compatibility guide carefully to see whether your code will work
> properly on BlueDragon.
>
> > but with regard to something that I consider VITAL,
> > like escaping single quotes, like I said, I'm already putting in 12
> > to 18
> > hours a day.. I'd just never have the time to go backwards over my
> > work.
>
> This is why Macromedia views backward compatibility with CF5
> as such an
> important issue and is working so hard on this.
>
> Sean A Corfield -- http://www.corfield.org/blog/
>
> "If you're not annoying somebody, you're not really alive."
> -- Margaret Atwood
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4
Subscription:
http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Host with the leader in ColdFusion hosting.
Voted #1 ColdFusion host by CF Developers.
Offering shared and dedicated hosting options.
www.cfxhosting.com/default.cfm?redirect=10481
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
