On 9/17/07, Dave Watts <[EMAIL PROTECTED]> wrote:
>
>
> >
> > <cfset NewSort = component.method(qOrderField=Val(name)) />
> >
> > <cffunction>
> > <cfargument name="qOrderField" type="string" default="*">
> >    <cfquery name="q">
> >        select *
> >         from
> >       Order By #Argument.qOrderField#
> >    </cfquery>
> >    <cfreturn q>
> > </cffunction>
>
> How does that prevent SQL injection?
>
> Dave Watts, CTO, Fig Leaf Software
> http://www.figleaf.com/



Good point Dave,

Guess you really need a list to start with or something... Still better than
a bunch of if or switch statements.

Test.cfm
    <cfset test        =     createObject("component", "test")>
    <cfset Thelist     =     "Col1,Col2,Col3,Col4">

    <cfif IsDefined('URL.Sort')>

        <cfset sort         = ListFindNoCase(Thelist, URL.Sort)>

        <cfset OrderByCol     = ListGetAt(Thelist, sort)>

        <cfset NewSort         = test.sort('#OrderByCol#') />

        <cfdump var="#NewSort#">

    </cfif>

~~~
Test.cfc

<cfcomponent output="false">
<cffunction name="sort">
<cfargument name="qOrderField" type="String" default="">
   <cfquery name="q" datasource="">
       select *
        from table
      Order By #Arguments.qOrderField#
   </cfquery>
   <cfreturn q>
</cffunction>
</cfcomponent>


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Create robust enterprise, web RIAs.
Upgrade to ColdFusion 8 and integrate with Adobe Flex
http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJP

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:288660
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Reply via email to