No, cfqueryparam does not work in the order by clause.
However, when using url params passed to a query for altering the order I use
if/then logic to set the order by clauses to prevent SQLi.
if (url.sortby EQ 'D') { orderby mycolum desc } else { order by mycolumn ASC }
THis is a simple and effective way to prevent SQLi in the order by clauses.
Wil Genovese
Sr. Web Application Developer/
Systems Administrator
CF Webtools
www.cfwebtools.com
[email protected]
www.trunkful.com
On Jul 21, 2013, at 12:50 PM, Dave Hatz <[email protected]> wrote:
>
> I know using cfqueryparam helps with hack attempts on your database and it
> helps performance for the execution of the queries.
>
> Question, does using the cfqueryparam help with performance on the ORDER BY
> clause? One some of our pages we give the user the ability to change the
> sort order of the data being displayed. But, we do not use CFQUERYPARAM on
> the ORDER BY clauses.
>
> Thanks,
> Dave Hatz
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356263
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
