You can't use params to control the structure of the statement, only the values passed into the statement.
If you're concerned about injection, you can attempt to clean the value before inlining it, or use a CF conditional to emit static stuff: <cfif sortcolumn EQ "name">name<cfelse>age</cfif> cheers, barneyb On 9/17/07, Vince Collins <[EMAIL PROTECTED]> wrote: > Am I not able to use cfqueryparam in the order by column. > > Select * from tablename order by <cfqueryparam > cfsqltype="CF_SQL_VARCHAR" value="#SORTCOLUMN#"> > > The error I'm getting on a windows 2003 server running CF7 is: > /[Macromedia][SQLServer JDBC Driver][SQLServer]The SELECT item > identified by the ORDER BY number 1 contains a variable as part of the > expression identifying a column position. Variables are only allowed > when ordering by an expression referencing a column name./ > > If I just have to do the following... > > Select * from tablename order by #sortcolumn# > > ....then my SQL call is not secure from SQL injection. Does this mean I > need to write my own tests for the "sortcolumn" variable being passed or > create a case statement which then inserts the correct column name? > > OR...the scenario that is MUCH more likely, am I missing something? > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Check out the new features and enhancements in the latest product release - download the "What's New PDF" now http://download.macromedia.com/pub/labs/coldfusion/cf8_beta_whatsnew_052907.pdf Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:288601 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
