Am I not able to use cfqueryparam in the order by column. Select * from tablename order by <cfqueryparam cfsqltype="CF_SQL_VARCHAR" value="#SORTCOLUMN#">
The error I'm getting on a windows 2003 server running CF7 is: /[Macromedia][SQLServer JDBC Driver][SQLServer]The SELECT item identified by the ORDER BY number 1 contains a variable as part of the expression identifying a column position. Variables are only allowed when ordering by an expression referencing a column name./ If I just have to do the following... Select * from tablename order by #sortcolumn# ....then my SQL call is not secure from SQL injection. Does this mean I need to write my own tests for the "sortcolumn" variable being passed or create a case statement which then inserts the correct column name? OR...the scenario that is MUCH more likely, am I missing something? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Get the answers you are looking for on the ColdFusion Labs Forum direct from active programmers and developers. http://www.adobe.com/cfusion/webforums/forum/categories.cfm?forumid-72&catid=648 Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:288598 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
