RE: String to Int

Bert Dawson Wed, 31 Jan 2001 11:34:49 -0800
if you're using SQL server 7 you should _always_ use Val() in CFQUERY tags when 
expecting an integer because if your CFQUERY says:

SELECT foo
FROM bar
WHERE id=#url.id#

and someone changes the URL from:
www.mysite.com/qwe.cfm?id=1
to
www.mysite.com/qwe.cfm?id=1;delete%20from%20bar
then what gets thrown to the dB is:

SELECT foo
FROM bar
WHERE id=1;delete from bar

and sql server 7 treats this as 2 valid sql statements and runs it....

You should write:

SELECT foo
FROM bar
WHERE id=#Val(url.id)#


Bert

> -----Original Message-----
> From: Maia, Eric [mailto:[EMAIL PROTECTED]]
> Sent: 31 January 2001 19:21
> To: CF-Talk
> Subject: RE: String to Int
> 
> 
> I think this server is running ColdFusion 4.5.1, and it's 
> accessing SQL
> Server 7. 

> 
> > -----Original Message-----
> > From: Maia, Eric [mailto:[EMAIL PROTECTED]]
> > Sent: Tuesday, January 30, 2001 17:07
> > To: CF-Talk
> > Subject: RE: String to Int
> >
> >I now use 
> #Val(string_variable)# when I
> > know I'll need an integer (e.g. inserting into a numeric DB column).


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at 
http://www.fusionauthority.com/bkinfo.cfm

Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: String to Int

Reply via email to
