RE: Oddness with cfqueryparam

Semrau, Steven L Mr SRA Thu, 05 Apr 2001 09:11:40 -0700
The SQL syntax generated by the ColdFusion server is dependent on the target
database.

For an ODBC, DB2, or Informix data source, the generated syntax of the SQL
statement is as follows:

    SELECT * 
    FROM courses
    WHERE col1=?

For an Oracle 7 or Oracle 8 data source, the syntax of the SQL statement is
as follows:

    SELECT * 
    FROM courses
    WHERE col1=:1

For a Sybase11 data source, the syntax of the SQL statement is as follows:

    SELECT * 
    FROM courses
    WHERE col1=10


Steven Semrau
SRA International, Inc.
Senior Member, Professional Staff
[EMAIL PROTECTED]
[EMAIL PROTECTED]
Com:  (703) 805-1095
DSN:  (703) 655-1095


-----Original Message-----
From: Thomas Chiverton [mailto:[EMAIL PROTECTED]]
Sent: Thursday, April 05, 2001 9:23 AM
To: CF-Talk
Subject: RE: Oddness with cfqueryparam


> Personally I've never used the CFQueryparam tag, but Surely the query
should
> read,

:goes to a web site you've written and types into a form box:
wibble';drop table *;select * where lastname='wibble

Oops...

> LastName like '%#form.what#%' ORDER BY LastName ASC

Yes, unsurprisingly that works, but I need to clean the user input up, and I
dont fancy writting my own sanatiser...

-----Original Message-----
From: Thomas Chiverton [mailto:[EMAIL PROTECTED]]
Sent: Thursday, April 05, 2001 1:55 PM
To: CF-Talk
Subject: Oddness with cfqueryparam


cfqueryparam doesnt seem to be doing as expected:

<cfquery name="contacts" datasource="Contacts"  >
SELECT ID, FirstName, LastName, JobTitle,BusinessPhone FROM exoduscontacts
WHERE 
LastName like '%<cfqueryparam value="form.what">%' ORDER BY LastName ASC
</cfquery>

Debugging shows 
Form Fields:</B>
FIELDNAMES=WHAT
WHAT=ch 
and the query as 
SQL = 
SELECT ID, FirstName, LastName, JobTitle,BusinessPhone FROM exoduscontacts
WHERE 
LastName like '%?%' ORDER BY LastName ASC

What gives ? Shouldnt cfqueryparam sanatise the string (for " and ; etc.) ?

Regards,

Thomas Chiverton,
Intranet Architect and Desktop Analyst
Office: 01565 757 909
As a GUI, reality in useless...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at 
http://www.fusionauthority.com/bkinfo.cfm

Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Oddness with cfqueryparam

Reply via email to
