On 9/17/07, Dave Watts <[EMAIL PROTECTED]> wrote:
>
>
> >
> > <cfset NewSort = component.method(qOrderField=Val(name)) />
> >
> > <cffunction>
> > <cfargument name="qOrderField" type="string" default="*">
> > <cfquery name="q">
> > select *
> > from
> > Order By #Argument.qOrderField#
> > </cfquery>
> > <cfreturn q>
> > </cffunction>
>
> How does that prevent SQL injection?
>
> Dave Watts, CTO, Fig Leaf Software
> http://www.figleaf.com/
Good point Dave,
Guess you really need a list to start with or something... Still better than
a bunch of if or switch statements.
Test.cfm
<cfset test = createObject("component", "test")>
<cfset Thelist = "Col1,Col2,Col3,Col4">
<cfif IsDefined('URL.Sort')>
<cfset sort = ListFindNoCase(Thelist, URL.Sort)>
<cfset OrderByCol = ListGetAt(Thelist, sort)>
<cfset NewSort = test.sort('#OrderByCol#') />
<cfdump var="#NewSort#">
</cfif>
~~~
Test.cfc
<cfcomponent output="false">
<cffunction name="sort">
<cfargument name="qOrderField" type="String" default="">
<cfquery name="q" datasource="">
select *
from table
Order By #Arguments.qOrderField#
</cfquery>
<cfreturn q>
</cffunction>
</cfcomponent>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Create robust enterprise, web RIAs.
Upgrade to ColdFusion 8 and integrate with Adobe Flex
http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJP
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:288660
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
