To be a bit more exact, you can only use cfqueryparam in a place where a
regular SQL parameter could be used. For MSSQL server, this could be in
the WHERE clause, the SELECT clause, JOINs, etc. However, SQL Server
doesn't allow you to do this:
DECLARE @orderBy varchar(50)
SET @orderBy = 'name'
SELECT name
FROM person
ORDER BY @orderBy
Therefore, you cannot parametrize that portion of a select with a
cfqueryparam either.
The important thing to come away from this with is that you still need
to prevent SQL Inject attacks! Blindly outputting the values sent in
from an Ajax call could be hazardous to ones server. One method is to
check the contents of ARGUMENTS.gridsortcolumn and ARGUMENTS.gridsortdir
against a list of known good values.
<cfif listfindnocase("firstName,lastName,age",argumentsgridsortcolumn)>
ORDER BY #argumentsgridsortcolumn# <cfif arguments.gridsortdir eq
"DESC">DESC</cfif>
</cfif>
~Brad
-------- Original Message --------
Subject: Re: AJAX CFGRID will not sort by column?
From: Glyn Jackson <[email protected]>
Date: Tue, November 03, 2009 5:50 am
To: cf-talk <[email protected]>
Thanks Ray, seems strange, I did not know that.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Want to reach the ColdFusion community with something they want? Let them know
on the House of Fusion mailing lists
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:327955
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
