Bryan and Matt, please tell me you use cfqueryparam on your SELECT statements where you accept user provided information such as FORM or URL variables... right?
If you don't you are exposing yourselves to SQL Injection attacks, it's not just on INSERT and UPDATE statements that you are vulnerable, it's anytime you access your DB and pass in values from your users. As a rule of thumb here, we never write a query without a cfqueryparam tag =] On Tue, Oct 26, 2010 at 11:24 AM, Matt Quackenbush <[email protected]>wrote: > > @ Bryan- > > You are apparently correct on #1. I shall try and remember that in the > future. It is now obvious to me that stating that the code works > absolutely > perfectly in one environment does not lead to everyone understanding that > it > is not an issue of incomplete code. > > As for #2, it is a SELECT INTO statement, so, yes, it needs <cfqueryparam > />. I too have never seen <cfqueryparam /> in a normal SELECT FROM > statement. > > @ All- > > It seems that I have managed to find not one, but two bugs in CF8.0.1. I > will post the bug reports as soon as I have had an opportunity to make > them. > > For those who might stumble across this post in the future, the workaround > is two-fold: > > 1) Use the 'result' attribute on <cfquery> instead of the 'name' attribute. > (Grab the newly inserted ID from 'result.identitycol'.) > > 2) Use a standard 'VALUES' insert, rather than a 'SELECT' insert. If you > need the lookup on a value (e.g. when you'd normally use a 'SELECT' > insert), > you can either make a prior db call to get the value(s), or you can have a > lookup struct/query in cache to pull the values from. > > HTH > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:338567 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
