I guess I'm a little unclear on how to use a "like" with cfqueryparam.
> I'd change the select * to a specific list of columns, and replace the > '%... with a cfqueryparam as you well know. > > > On 9/11/07, Les Mizzell <[EMAIL PROTECTED]> wrote: >> I'm working my way through some legacy sites that have queries that need >> a little securing from SQL injection attacks. Most of them simply need >> cfqueryparam added. But, what's "best practice" for the simple query below? >> >> >> <cfquery name="getPA" >> datasource="#request.datasource#" >> username="#request.username#" >> password="#request.password#"> >> SELECT * FROM pa >> WHERE pa_name like '%#form.pa_name#%' >> </cfquery> >> >> > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Download the latest ColdFusion 8 utilities including Report Builder, plug-ins for Eclipse and Dreamweaver updates. http;//www.adobe.com/cfusion/entitlement/index.cfm?e=labs%5adobecf8%5Fbeta Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:288164 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4