Fair comment,
Jason Lees
National Express
Systems Department.
E-Mail : [EMAIL PROTECTED]
-----Original Message-----
From: Thomas Chiverton [mailto:[EMAIL PROTECTED]]
Sent: Thursday, April 05, 2001 2:23 PM
To: CF-Talk
Subject: RE: Oddness with cfqueryparam
> Personally I've never used the CFQueryparam tag, but Surely the query
should
> read,
:goes to a web site you've written and types into a form box:
wibble';drop table *;select * where lastname='wibble
Oops...
> LastName like '%#form.what#%' ORDER BY LastName ASC
Yes, unsurprisingly that works, but I need to clean the user input up, and I
dont fancy writting my own sanatiser...
-----Original Message-----
From: Thomas Chiverton [mailto:[EMAIL PROTECTED]]
Sent: Thursday, April 05, 2001 1:55 PM
To: CF-Talk
Subject: Oddness with cfqueryparam
cfqueryparam doesnt seem to be doing as expected:
<cfquery name="contacts" datasource="Contacts" >
SELECT ID, FirstName, LastName, JobTitle,BusinessPhone FROM exoduscontacts
WHERE
LastName like '%<cfqueryparam value="form.what">%' ORDER BY LastName ASC
</cfquery>
Debugging shows
Form Fields:</B>
FIELDNAMES=WHAT
WHAT=ch
and the query as
SQL =
SELECT ID, FirstName, LastName, JobTitle,BusinessPhone FROM exoduscontacts
WHERE
LastName like '%?%' ORDER BY LastName ASC
What gives ? Shouldnt cfqueryparam sanatise the string (for " and ; etc.) ?
Regards,
Thomas Chiverton,
Intranet Architect and Desktop Analyst
Office: 01565 757 909
As a GUI, reality in useless...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
