Make sure that you understand the security implications of using queries
with <cfqueryparam>. <cfqueryparam> defends you against SQL injection
attacks and should always be used with untrusted data such as user input.
If you're dynamically building your query, you can't use <cfqueryparam> with
CF. In that case you need to make sure that you sanitize any user input to
remove characters that are potential SQL injection hazards. Note that using
a whitelist approach is greatly preferred to using a blacklist approach.
Note also that just because you build some of your query dynamically doesn't
mean you have to build all of it dynamically--you can mix your dynamic part
in with a static part that uses <cfqueryparam>. Then so long as the dynamic
part is not built from untrusted data you won't have to do any additional
work to sanitize your data to remove characters that are potential SQL
injection hazards.
Note that with BlueDragon you CAN build a dynamic query string that contains
<cfqueryparam>. Then when you pass it to <cfquery>, you use the render()
function just as you're currently using the preserveSingleQuotes() function:
<cfquery ....>
#render(Variables.myQueryString)#
</cfquery>
But note that using the render() function with untrusted data opens you up
to CFML injection attacks so you'll need to sanitize for those.
Josh
-----Original Message-----
From: David Carter [mailto:[EMAIL PROTECTED]
Sent: Monday, August 07, 2006 4:34 PM
To: CF-Talk
Subject: Re: cfquery - single quotes become doubled
Thanks all, PreserveSingleQuotes() solved the problem.
>That's by design. ColdFusion is escaping your single quotes.
>
>You need to either wrap your string in the PreserveSingleQuotes()
>function or, better, use <cfqueryparam>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting,
up-to-date ColdFusion information by your peers, delivered to your door four
times a year.
http://www.fusionauthority.com/quarterly
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:249242
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
