You should be able to straight up replace the part after like with a cfqueryparam. Keep the percent signs in and everything.
-----Original Message----- From: Les Mizzell [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 11, 2007 11:22 AM To: CF-Talk Subject: How to protect this query? I'm working my way through some legacy sites that have queries that need a little securing from SQL injection attacks. Most of them simply need cfqueryparam added. But, what's "best practice" for the simple query below? <cfquery name="getPA" datasource="#request.datasource#" username="#request.username#" password="#request.password#"> SELECT * FROM pa WHERE pa_name like '%#form.pa_name#%' </cfquery> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Check out the new features and enhancements in the latest product release - download the "What's New PDF" now http://download.macromedia.com/pub/labs/coldfusion/cf8_beta_whatsnew_052907.pdf Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:288166 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
