I am sure others will have a _lot_ more to say on the subject. But here is my
$0.02....
> can you put a cfqueryparam around the variable above?
No. Cfqueryparam is used for parameter _values_. It prevents whatever value you
pass in from being executed as part of the parent sql statement. So while you
could technically wrap the string in cfqueryparam, it would not be executed.
> is this secure from SQL attacks?
Absolutely not. Normally, CF escapes single quotes automatically, to help fight
sql injection. Using PreserveSingleQuotes _suppresses_ that behavior, making
the query more vulnerable to attacks.
> recommend doing to secure this more?
Well, not using that kind of dynamic sql would be a good start ...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:334061
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
