I'd change the select * to a specific list of columns, and replace the '%... with a cfqueryparam as you well know.
On 9/11/07, Les Mizzell <[EMAIL PROTECTED]> wrote: > I'm working my way through some legacy sites that have queries that need > a little securing from SQL injection attacks. Most of them simply need > cfqueryparam added. But, what's "best practice" for the simple query below? > > > <cfquery name="getPA" > datasource="#request.datasource#" > username="#request.username#" > password="#request.password#"> > SELECT * FROM pa > WHERE pa_name like '%#form.pa_name#%' > </cfquery> > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Get involved in the latest ColdFusion discussions, product development sharing, and articles on the Adobe Labs wiki. http://labs/adobe.com/wiki/index.php/ColdFusion_8 Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:288162 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
