Hi all,
I have a a few question about using cfc with dynamic tables.
i.e.
<cfquery>
.....
FROM #ARGUMENTS.tablename#
.....
</cfquery>
now I would normally pass that argument via the calling page as a request
variable.
First question, is that safe enough?
I wasn't sure if it was so I thought about using this (untested)
<cfset tableOK = REFindNoCase("[^A-Za-z-_]+", ARGUMENT.tablename, 1,"TRUE")>
<cfif (tableOK.pos[1] NEQ 1) OR (tableOK.len[1] and len(ARGUMENT.tablename))>
<cfabort>
</cfif>
<cfquery name="GetTableNames" datasource="#ARGUMENTS.DSN#">
SELECT TABLE_NAME
FROM Information_Schema.Tables
WHERE TABLE_TYPE = 'dbo'
ORDER BY Table_Name
</cfquery>
<cfset allowedtables = valuelist(GetTableNames.TABLE_NAME)>
<cfif not listfindnocase(allowedtables,arguments.table)>
<cfabort>
</cfif>
etc....
Now, if the above works what we be the above works what would be the best way
to implement it without having to repeat it at the start of each function.
Lastly, would it be worth while using?
Thanks,
Richard
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Create Web Applications With ColdFusion MX7 & Flex 2.
Build powerful, scalable RIAs. Free Trial
http://www.adobe.com/products/coldfusion/flex2/
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:270175
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
