Re: cffile sql and cfc's

Richard Cooper Fri, 07 Jul 2006 06:57:23 -0700

Hi Tom,

Do you think something like this would make it safe from SQL attack:


<cfset tableOK = REFindNoCase("[^A-Za-z-_]+", ARGUMENT.tablename, 1,"TRUE")>
<cfif (tableOK.pos[1] NEQ 1) OR (tableOK.len[1] and len(ARGUMENT.tablename))>
<cfabort>

<cfelse>
<cfquery>
UPDATE #ARGUMENTS.tablename#
.....

</cfif>



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, 
up-to-date ColdFusion information by your peers, delivered to your door four 
times a year.
http://www.fusionauthority.com/quarterly
Archive: 
http://www.houseoffusion.com/cf_lists/message.cfm/forumid:4/messageid:245672
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Re: cffile sql and cfc's

Reply via email to