> SELECT * FROM MyTable WHERE MyId = #Val(form.MyId)#
'cause what you really need to do is sanatise all your strings to prevent
any cross site scripting problems too.
I use something like
<cfset attributes.string REReplaceNoCase(attributes.string,"<","<","ALL")>
<cfset attributes.string REReplaceNoCase(attributes.string,">",">","ALL")>
<cfset attributes.string = REReplaceNoCase(attributes.string,"[^a-zA-Z0-9
@.,:-�/\$%\/&##]"," ","ALL")>
in a custom tag and call it on on variables that get inserted into a
database, or eventualy shown on screen.
By not allowing ';' (line 3's regexp, note '^') you type SQL into a form box
and have it execute.
By replacing '<' and '>' with their entity's we also stop CSS problems, it
being difficult to write HTML code with out angle brackets.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
