Dominic makes a good point. To this end, I often find it useful to use my 'sortBy' params as aliases rather than as direct SQL, so something like this:
<cfargument name="sortBy" type="string" default="name" /> <cfset var order = "" /> <cfswitch expresssion="#arguments.sortBy#"> <cfcase value="id"> <cfset order = "personID" /> </cfcase> <cfcase value="title"> <cfset order = "title, lastName, firstName" /> </cfcase> <cfdefaultcase> <!--- this handles 'name' and any attempts to send in garbage ---> <cfset order = "lastName, firstName" /> </cfdefaultcase> </cfswitch> <cfquery name="qfoo" datasource="#_dsn#"> SELECT personID, firstName, lastName, title FROM person ORDER BY #order# </cfquery> <cfreturn qfoo /> Note that not only is my query now safe from injection, but I can easily change my sort criteria. Say I call this from multiple places in my code, because I need different user lists in different places. Then, if I need to change from sorting (Last name, First name) sorting to (First name Last name), my sortBy="name" remains the same throughout my application, and I only have to change this: <cfset order = "firstName, lastName" /> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:320103 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
