You must use it DIRECTLY in your SQL statement.
You can NOT do this:
<cfset myvar = preservesinglequotes(form.entereddata)>
<cfquery ...>
select ... where #myVar# = 'something'
</cfquery>
It must be like this:
<cfquery ...>
select ... where #preservesinglequotes(form.entereddata)# = 'something'
</cfquery>
BUT <CFQUERYPARAM> is even better -- it will protect you from ANY
potentially dangerous characters.
Specifically, you tell it what type of data is allowable. CF_SQL_VARCHAR
means it can be a text string. It protects you if a user attempts to
include some SQL statements to mess up your website (google for "sql
injection attack" for details of this type of problem).
CF_SQL_VARCHAR is just one data type. There are others for integer,
floating point, dates, etc.
Hope this help,
Jevo
-----Original Message-----
From: Christy Roberts [mailto:[EMAIL PROTECTED]
Sent: Friday, February 06, 2004 4:48 AM
To: CF-Talk
Subject: RE: Different query results in Access/ColdFusion
So using preservesinglequotes() will ensure that if people enter
apostrophes, it won't affect the results? I should definitely use that. :-)
What does CF_SQL_VARCHAR do?
However, that wasn't what was causing my problem - someone on another board
figured it out last night. It was the "groupby" clause in the output query.
I removed that, and it works like a CHARM!!!!
But I would be interested in hearing about the other two options you
suggested.
Thanks
Christina
:-)
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
