Thanks Barney, I have to say though that I am willing to bet there are programmers that think their SQL is safe from injection just by using the cfqueryparam and forgetting about the order by clause if they allow that to be passed...
select * from tablename order by #columnname# index.cfm?columnname=blah;delete from tablename OUCH Barney Boisvert wrote: > You can't use params to control the structure of the statement, only > the values passed into the statement. > > If you're concerned about injection, you can attempt to clean the > value before inlining it, or use a CF conditional to emit static > stuff: > > <cfif sortcolumn EQ "name">name<cfelse>age</cfif> > > cheers, > barneyb > > On 9/17/07, Vince Collins <[EMAIL PROTECTED]> wrote: > >> Am I not able to use cfqueryparam in the order by column. >> >> Select * from tablename order by <cfqueryparam >> cfsqltype="CF_SQL_VARCHAR" value="#SORTCOLUMN#"> >> >> The error I'm getting on a windows 2003 server running CF7 is: >> /[Macromedia][SQLServer JDBC Driver][SQLServer]The SELECT item >> identified by the ORDER BY number 1 contains a variable as part of the >> expression identifying a column position. Variables are only allowed >> when ordering by an expression referencing a column name./ >> >> If I just have to do the following... >> >> Select * from tablename order by #sortcolumn# >> >> ....then my SQL call is not secure from SQL injection. Does this mean I >> need to write my own tests for the "sortcolumn" variable being passed or >> create a case statement which then inserts the correct column name? >> >> OR...the scenario that is MUCH more likely, am I missing something? >> >> >> >> >> >> >> >> >> > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| ColdFusion 8 - Build next generation apps today, with easy PDF and Ajax features - download now http://download.macromedia.com/pub/labs/coldfusion/cf8_beta_whatsnew_052907.pdf Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:288602 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
